Douyin Creator Marketplace (Xingtu) Conversion Analysis API

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for authenticated creator marketplace analytics, but its token-in-URL design needs careful handling.

Use a narrowly scoped, revocable token if available. Avoid sharing logs, screenshots, browser history, or copied URLs from this skill because the token may appear in the URL, and rotate the token if it may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Requiring the authentication token in a query parameter is dangerous because query strings are commonly exposed in logs, proxies, browser history, observability systems, and referrer-like telemetry, increasing the chance of credential leakage. In this skill's context, the token protects access to creator marketplace analytics, so compromise could enable unauthorized API access and data exposure until the token is rotated.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal