Back to skill

Security audit

Douyin (TikTok China) User Profile API

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow JustOneAPI helper for one Douyin profile lookup, with the main caution that the API token is sent as a URL query parameter.

Install only if you trust JustOneAPI with your API token and the Douyin secUid values you query. Use a scoped or easily rotated token, avoid sharing command output or URLs related to requests, and rotate the token if it may have appeared in logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill defines the API token as a query parameter and later appends all query parameters directly into the request URL. Query-string credentials are commonly exposed in logs, proxies, browser/history tooling, monitoring systems, and error reports, so the token may be disclosed beyond the intended recipient even when sent over HTTPS.

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for this API service.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
91% confidence
Finding
Access token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.