ClawHub

Douyin Creator Marketplace (Xingtu) KOL Keyword Search API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow API helper for JustOneAPI creator search, but users should treat its API token carefully because the upstream API uses it in the URL query string.

Install only if you trust JustOneAPI with your API token and search queries. Avoid sharing command traces, logs, screenshots, or error output that might include the full request URL, and rotate the token if a URL containing it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill requires the authentication token to be sent as a URL query parameter, and `applyQueryParams` appends all query parameters directly onto the request URL. Query-string credentials are commonly exposed through logs, browser/history artifacts, reverse proxies, monitoring systems, and error telemetry, making accidental token disclosure much more likely than header-based authentication. In this skill’s context, the token is the primary credential for a third-party API, so leakage could allow unauthorized API use and account abuse.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Passing an authentication token in the query string is a real security issue because URLs are commonly logged by servers, proxies, client libraries, browser history, and monitoring systems. Even over HTTPS, the token may be exposed through operational logs or error traces, increasing the risk of credential leakage and unauthorized API use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal