Douyin Creator Marketplace (Xingtu) Creator Link Structure API

Security checks across malware telemetry and agentic risk

Overview

This appears to be a straightforward JustOneAPI API wrapper, with the main caution that its access token is passed in the request URL.

Install only if you trust JustOneAPI with the token and endpoint data. Prefer a limited or revocable token, avoid sharing logs or URLs from failed requests, and rotate the token if it may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill requires and forwards the authentication token as a URL query parameter (`token`), which is then embedded in the request URL. Query parameters are commonly exposed through logs, proxies, browser/history tooling, analytics, error reporting, and upstream infrastructure, making credential leakage more likely than if the token were sent in an authorization header. In this API-wrapper context, the risk is real because the script constructs the URL directly and provides no warning or mitigation to users.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill requires a user authentication token as a query parameter without any explicit warning that the secret will be transmitted to an external service. Passing secrets in query strings is risky because they are commonly logged by clients, gateways, proxies, browser history, and monitoring systems, increasing the chance of credential exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal