ClawHub

Douyin Creator Marketplace (Xingtu) KOL Comment Keyword Analysis API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI wrapper for one Douyin/Xingtu analytics endpoint, with the main caution that its API token is sent as a URL query parameter.

Install only if you trust JustOneAPI and are comfortable sending JUST_ONE_API_TOKEN to api.justoneapi.com for this endpoint. Prefer a scoped or short-lived token if available, avoid logging full request URLs, and rotate the token if you suspect it was exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill requires the authentication token as a query parameter and then appends all query parameters directly to the URL before issuing the request. Query-string tokens are commonly exposed in logs, browser/history tooling, proxy telemetry, error reports, and upstream monitoring systems, so credentials can leak beyond the intended recipient even when HTTPS is used. In this skill context, the token is a primary authenticator for a third-party API, so leakage could allow unauthorized API access or account misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly requires a user authentication token but provides no guidance on secure handling, storage, redaction, or transmission of that credential. In an agent skill context, this omission increases the chance that integrators will pass the token in logs, prompts, screenshots, or other insecure channels, leading to credential leakage and unauthorized API access.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal