ClawHub

Douyin Creator Marketplace (Xingtu) Spread Metrics API

Security checks across malware telemetry and agentic risk

Overview

This skill is a focused JustOneAPI helper for one Douyin/Xingtu metrics endpoint, with the main caution that its API token is sent in the request URL.

Install only if you trust JustOneAPI and can use a scoped or revocable token. Avoid sharing command traces, logs, screenshots, copied URLs, or backend error records from runs, because the token may appear in the request URL.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly models the authentication token as a query parameter and injects it into the request URL. Query-string secrets are commonly exposed through logs, browser/history equivalents, monitoring systems, proxies, and upstream service telemetry, so the token may be disclosed beyond its intended recipients.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill requires a user authentication token as a query parameter, which increases the risk of credential exposure through logs, browser history, intermediary systems, analytics tooling, and error traces. Although the base URL uses HTTPS, placing secrets in the URL is a well-known unsafe practice because URLs are commonly recorded more broadly than headers or secure secret stores.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation requires a `token` query parameter for authentication but provides no warning about sensitive credential handling. Query parameters are commonly exposed in logs, browser history, analytics, referrers, and intermediary systems, so documenting token use this way without caution increases the chance of credential leakage and unauthorized API access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal