Back to skill

Security audit

Douyin (TikTok China) Video Search API

Security checks across malware telemetry and agentic risk

Overview

This is a focused JustOneAPI Douyin video-search helper; the main caution is that its token and search terms are sent to JustOneAPI, with the token placed in the request URL query string.

Install only if you trust JustOneAPI with the API token and search keywords you submit. Prefer a limited or revocable token if available, avoid sharing terminal logs, screenshots, or debugging output that may include full request URLs, and rotate the token if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly defines the API token as a query parameter and later appends all query parameters into the URL before issuing the request. Secrets in URLs are commonly exposed through logs, browser/history equivalents, proxy caches, monitoring systems, crash reports, and upstream service telemetry, so this creates avoidable credential leakage risk even though the request uses HTTPS.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest omits an explicit warning that user-provided search keywords and the API access token are sent to the third-party service api.justoneapi.com. This can mislead users or calling agents about data egress and credential handling, increasing privacy and trust risks, especially when search terms may contain sensitive or proprietary information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.