Security audit

Douyin E-commerce Item Details API

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrowly scoped Douban details API helper, with one credential-handling weakness users should be aware of.

Install only if you are comfortable sending a JustOneAPI token and Douban subject IDs to the JustOneAPI service. Use a revocable token, avoid logging full request URLs, and rotate the token if a URL containing it may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill sends the API access token as a URL query parameter, which is commonly logged by client tooling, proxies, browser history, server access logs, and observability systems. Even though the request uses HTTPS, query-string secrets have a larger exposure surface than headers and there is no warning or mitigation in the skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.