ClawHub

Douyin Creator Marketplace (Xingtu) Creator Link Metrics API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow API wrapper for one JustOneAPI Douyin/Xingtu metrics endpoint, with a credential-handling caution because the API token is sent as a URL query parameter.

Install only if you trust JustOneAPI and are comfortable sending JUST_ONE_API_TOKEN to api.justoneapi.com. Treat the token as sensitive, avoid logging full request URLs or pasting token values into chat, and prefer a short-lived or easily revocable token if available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The API requires a sensitive authentication token to be sent in the URL query string, which is commonly captured in browser history, reverse-proxy logs, analytics systems, caches, and monitoring tools. Even though the endpoint uses HTTPS, query parameters are still more widely exposed than headers, so this creates unnecessary credential leakage risk for anyone invoking the skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The operation documentation requires a `token` query parameter for an external API call but does not warn users that they are transmitting sensitive credentials to a third-party service. Putting authentication material in query strings is especially risky because URLs are commonly logged by clients, proxies, gateways, analytics systems, and browser history, which can lead to credential disclosure and unauthorized API access.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal