Back to skill

Security audit

Douyin Creator Marketplace (Xingtu) Author Commerce Seeding Base Info API

Security checks across malware telemetry and agentic risk

Overview

This is a focused API wrapper that calls one JustOneAPI Douyin/Xingtu endpoint and shows no hidden persistence, unrelated access, or destructive behavior.

Install this only if you trust JustOneAPI and need this specific Douyin/Xingtu endpoint. Use a minimally scoped token in JUST_ONE_API_TOKEN, avoid logging or sharing command lines and URLs that may contain the token, and rotate the token if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill requires a user authentication token to be sent as a query parameter in a network request, but the manifest provides no user-facing warning or safer handling guidance. Query-string credentials are commonly exposed in logs, browser history, monitoring systems, and intermediary infrastructure, increasing the risk of credential leakage even when HTTPS is used.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs callers to supply an authentication token as a query parameter without any warning about sensitive credential handling. Query-string tokens are commonly exposed in logs, browser history, analytics, referrers, and intermediary systems, which can lead to credential leakage and unauthorized API access if the token is reused or long-lived.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.