ClawHub

Douyin Creator Marketplace (Xingtu) Audience Distribution API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI helper for one read-only Douyin/Xingtu audience endpoint, with a disclosed credential-handling caveat but no hidden or unrelated behavior.

Before installing, confirm you trust JustOneAPI with your API token and the creator IDs you query. Treat JUST_ONE_API_TOKEN as sensitive because this helper sends it in the URL query string to api.justoneapi.com; avoid sharing command lines, request URLs, logs, screenshots, or error traces that could expose it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly models the authentication token as a query parameter and injects it into the request URL. Query-string tokens are routinely exposed through logs, proxies, browser history, monitoring systems, and error telemetry, which increases the chance of credential leakage even when HTTPS is used. In this skill context, the token is the primary credential for accessing a third-party API, so exposing it in URLs is unnecessary and risky.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Passing an authentication token in the query string is risky because query parameters are commonly logged by servers, proxies, monitoring systems, browser history, and error traces. Even over HTTPS, the token may be exposed through operational logging or accidental sharing, enabling unauthorized API access if leaked.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The documentation explicitly requires a user authentication token in a query parameter but provides no warning about treating it as sensitive or avoiding logging, sharing, or exposing it in URLs. Query-string tokens are especially prone to leakage through browser history, analytics, proxy logs, server logs, and screenshots, so omitting credential-handling guidance increases the risk of accidental exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal