ClawHub

Douyin Creator Marketplace (Xingtu) Cost Performance Analysis API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI wrapper for one Douyin/Xingtu lookup endpoint, with a real but disclosed token-handling caveat.

Install only if you trust JustOneAPI with your API token and queried creator IDs. Keep JUST_ONE_API_TOKEN out of chat, screenshots, and logs, and understand that this helper passes the token through the command line and URL query string; rotate the token if you believe command history, process logs, proxy logs, or API logs may have exposed it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The API authentication token is defined as a query parameter and later appended to the request URL, which exposes the credential in places URLs are commonly logged or retained, such as shell history, proxies, analytics systems, and server access logs. Even though the request uses HTTPS, putting secrets in the URL materially increases the chance of credential leakage beyond the immediate transport layer.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The script accepts a sensitive token via the --token CLI argument and injects it into request parameters, which in this implementation means it is then sent as a URL query parameter. CLI arguments may be exposed through shell history, process listings, job runners, and audit tooling, so this handling increases the risk of credential disclosure even if the code is otherwise straightforward and not overtly malicious.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Passing an authentication token in the query string is dangerous because query parameters are commonly logged by clients, proxies, gateways, observability tooling, browser history, and server access logs. In an API skill context, this increases the chance of credential leakage and replay by anyone who can access those logs or captured URLs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The operation documentation requires a user authentication token as a query parameter but provides no warning about secure handling, storage, or transmission of that credential. Query parameters are commonly exposed in logs, browser history, analytics systems, proxy caches, and monitoring tools, which increases the chance of accidental token disclosure and downstream account or API misuse.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal