ClawHub

Douyin Creator Marketplace (Xingtu) Follower Distribution API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI wrapper for one Douyin analytics endpoint, with a real but disclosed caution that the API token is sent in the URL query string.

Install only if you are comfortable sending a JustOneAPI token to api.justoneapi.com for this analytics lookup. Use an environment variable, avoid sharing full request URLs or logs, and rotate or scope the token if your JustOneAPI account supports it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends the authentication token as a URL query parameter, which is commonly exposed in logs, browser history, proxy records, monitoring systems, and error messages. Even though the request uses HTTPS, query-string credentials are more likely to be inadvertently retained or disclosed than tokens sent in an Authorization header or request header.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The operation requires a user authentication token to be sent as a query parameter to an external API, yet the manifest provides no user-facing warning or consent boundary around credential transmission. Query-string tokens are especially risky because they are commonly logged by clients, proxies, and servers, increasing the chance of credential leakage or unauthorized reuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The API requires an authentication token in the query string, which is commonly logged by browsers, proxies, web servers, analytics tools, and monitoring systems. This increases the chance of credential leakage through URL history, referer headers, or infrastructure logs, especially in an API-integration skill where users may paste live tokens directly into requests.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal