ClawHub

Douyin Creator Marketplace (Xingtu) Audience Touchpoint Distribution API

Security checks across malware telemetry and agentic risk

Overview

This skill is a focused JustOneAPI wrapper for one Douyin/Xingtu endpoint, with a credential-handling caveat because the API token is sent in the request URL.

Install only if you trust JustOneAPI and are comfortable with this endpoint receiving your token in the URL query string. Use a scoped token if possible, avoid logging full request URLs, do not paste token values into chats or screenshots, and rotate the token if it may have appeared in logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill sends the authentication token as a URL query parameter, which is commonly exposed through logs, browser/history storage, proxy caches, monitoring systems, and upstream request tracing. Although the request uses HTTPS, query-string secrets still have broader accidental disclosure risk than headers or request bodies, and this wrapper provides no warning to the user about that behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly requires a `token` query parameter but provides no warning that it is a sensitive credential. Query-string tokens are especially risky because they are commonly logged in browser history, proxies, analytics systems, server access logs, and debugging tools, which can lead to credential leakage and unauthorized API access.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal