ClawHub

Douyin Creator Marketplace (Xingtu) Creator Channel Metrics API

Security checks across malware telemetry and agentic risk

Overview

This is a focused API helper for one Douyin/Xingtu metrics endpoint, with a real but disclosed credential-handling caveat around putting the token in the request URL.

Install only if you trust JustOneAPI and accept that this API sends the token as a URL query parameter. Avoid sharing command output, logs, screenshots, traces, or error reports that could include full request URLs, and prefer a low-privilege token that can be rotated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill explicitly models the authentication token as a query parameter and appends it to the URL before issuing the request. Query-string secrets are commonly exposed through logs, browser/history capture, upstream proxies, analytics tooling, and monitoring systems, so the token can leak even when TLS is used. In this API-wrapper context, the risk is real because the code provides no warning or safer alternative.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The documentation explicitly requires a user authentication token in a query parameter but provides no warning about secure handling, logging exposure, or transmission risks. Query-string tokens are especially sensitive because they are commonly captured in logs, analytics, browser history, intermediary systems, and debugging output, increasing the chance of credential leakage and unauthorized API access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal