ClawHub

Douyin Creator Marketplace (Xingtu) Follower Growth Trend API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI wrapper for one Douyin/Xingtu analytics endpoint, with a real but disclosed risk that the API token is sent in the URL query string.

Install only if you trust JustOneAPI and are comfortable with the token being sent in the request URL. Use a scoped or easily revocable token if available, avoid sharing logs/screenshots/error output that may contain full URLs, and rotate the token if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill requires an authentication token as a query parameter and then appends all query parameters directly into the URL. Query-string tokens are commonly exposed via logs, browser history, proxy/CDN access logs, monitoring tools, referrer leakage, and error reporting, making credential disclosure more likely than header-based authentication. In this context, the token appears to authorize access to third-party API data, so leakage could enable unauthorized API use or data access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The operation requires an authentication token to be sent as a query parameter to an external API, which is risky because query strings are commonly logged by clients, proxies, servers, analytics systems, and browser history. Even though the base URL uses HTTPS, placing credentials in the URL increases the chance of accidental credential exposure and reuse by unauthorized parties.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation requires a `token` query parameter for authentication but gives no warning about sensitive credential handling. Putting auth tokens in query strings is risky because they are commonly captured in logs, browser history, analytics systems, proxy caches, and referral headers, which can lead to credential exposure if users follow the documentation literally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal