Douyin Creator Marketplace (Xingtu) Item Report Trends API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI wrapper for one Douyin/Xingtu reporting endpoint, with a disclosed but less ideal token-in-query design.

Install only if you trust JustOneAPI with the requested Douyin/Xingtu data and token. Use a limited or disposable token if available, avoid logging full request URLs, and do not paste token values into chat, screenshots, or shared command output.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill defines the authentication token as a query parameter and later appends all query parameters directly into the request URL. Query-string tokens are commonly exposed through logs, browser/history tooling, proxy infrastructure, monitoring systems, and error messages, making accidental credential disclosure more likely than if the token were sent in an Authorization header. In this skill context, the token grants access to a third-party API, so leakage could enable unauthorized API use and data access under the user's account.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The manifest requires a user authentication token to be sent as a query parameter to an external API, but provides no user-facing warning or consent language about credential transmission. Query parameters are commonly logged by intermediaries, client tooling, and server access logs, so this design increases the risk of credential leakage and unintended disclosure to third parties.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The operation documentation exposes a sensitive `token` query parameter as a normal required input without any warning about secure handling, logging, or leakage risks. Query parameters are commonly captured in browser history, server logs, proxies, and analytics systems, so documenting authentication this way can encourage insecure integrations and credential exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal