ClawHub

Douyin Creator Marketplace (Xingtu) KOL Content Keyword Analysis API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI wrapper that calls one documented Douyin/Xingtu endpoint, with a real token-handling caveat but no hidden or unrelated behavior.

Install only if you trust JustOneAPI and are comfortable with the token being sent in the request URL. Use a scoped, revocable token where possible, keep it in JUST_ONE_API_TOKEN, avoid logging full request URLs or command lines, and rotate the token if you think URLs or process arguments were captured.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill accepts a sensitive authentication token via the command line and then sends it as a URL query parameter. This is dangerous because CLI arguments can be exposed through shell history, process listings, logs, and debugging tooling, while query parameters are commonly captured by proxies, server logs, analytics systems, and error reports, increasing the chance of credential leakage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Requiring an authentication token in a query parameter is risky because query strings are commonly logged by servers, proxies, analytics tools, browser history, and monitoring systems, which can expose credentials beyond their intended scope. In this skill, the token is sent to an external API gateway, and the manifest provides no warning or safer auth mechanism, increasing the chance of inadvertent credential leakage.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly requires a user authentication token but provides no warning about secure handling, storage, transmission, or logging of that credential. In agent or integration contexts, this omission can lead developers to pass tokens in unsafe ways, expose them in logs, or treat them as ordinary parameters, increasing the risk of credential leakage and unauthorized API access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal