Security audit

Douyin (TikTok China) User Search API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI Douyin user-search helper, with the main caution that its API token is sent as a URL query parameter.

Install only if you trust JustOneAPI and need this Douyin user-search endpoint. Use a scoped, rotatable JUST_ONE_API_TOKEN, avoid logging full request URLs or command invocations that include the token, and rotate the token if it may have appeared in logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill sends the API access token in the URL query string, which is commonly logged by clients, proxies, servers, browser history, and observability tooling. Even though the request uses HTTPS, query parameters are still widely exposed in logs and diagnostics, making credential leakage more likely than if the token were sent in an Authorization header.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill requires an access token to be sent to an external third-party API as a query parameter, but the manifest provides no user-facing disclosure about credential transmission or external data sharing. Query-parameter credentials are especially risky because they may be logged by clients, proxies, gateways, and server access logs, increasing the chance of token leakage beyond the immediate request.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal