ClawHub

Douyin Creator Marketplace (Xingtu) Item Report Analysis API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI wrapper for one read-only Douyin/Xingtu report endpoint, with a credential-handling caveat.

Install only if you trust JustOneAPI and are comfortable with your API token being sent in the request URL query string. Use a limited-scope token if available, avoid sharing logs or error output that may include full request URLs, and rotate the token if you suspect exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill requires the authentication token to be sent as a query parameter and then appends it into the request URL. Query-string credentials are commonly exposed through logs, browser/history tooling, proxy infrastructure, monitoring systems, referrer leakage, and error reporting, so the token can be captured even when TLS is used. In this skill context, the risk is more credible because the token is the primary secret used to access a third-party API and the code provides no warning or safer alternative.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest requires a user authentication token as a query parameter but does not provide any warning about secret handling, third-party transmission, or logging exposure. Query parameters are commonly captured in logs, analytics, browser history, and intermediary systems, so treating an auth token this way can lead to credential leakage and unauthorized access to the user's external account.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal