Douyin Creator Marketplace (Xingtu) Showcase Items API

Security checks across malware telemetry and agentic risk

Overview

This is a focused API helper for one JustOneAPI Douyin/Xingtu endpoint, with the main caution that its token is passed in the URL query string.

Install only if you trust JustOneAPI and are comfortable sending your JUST_ONE_API_TOKEN to its API in the request URL. Avoid sharing terminal history, command logs, full request URLs, screenshots, or error traces that may include the token, and use a limited-scope or revocable token if available.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill accepts a sensitive authentication token via the --token CLI flag and then injects it into the request as the query parameter token. Query-string secrets are commonly exposed through shell history, process listings, logs, proxies, browser/network tooling, and upstream server access logs, so this creates unnecessary credential leakage risk even though the request is sent over HTTPS.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The manifest requires a user-supplied authentication token in a query parameter for an external API but does not warn users that sensitive credentials will be transmitted off-platform. This can lead to inadvertent credential disclosure, token mishandling in logs, browser history, intermediary systems, or agent traces, especially because query parameters are more likely to be recorded than headers.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal