Back to skill

Security audit

Douyin Creator Marketplace (Xingtu) Author Commerce Spread Info API

Security checks across malware telemetry and agentic risk

Overview

This is a focused JustOneAPI wrapper for one Douyin marketplace endpoint, with the main caution that its API token is sent in the request URL query.

Install only if you trust JustOneAPI and are comfortable using a JUST_ONE_API_TOKEN for this endpoint. Prefer a limited or easily revoked token, avoid sharing command output or logs that may contain request details, and revoke the token if you see unexpected usage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill requires an authentication token as a query parameter and then appends it into the request URL. Query-string secrets are routinely exposed via logs, browser history, proxy caches, monitoring systems, and error reporting, making credential leakage more likely than if the token were sent in an Authorization header. In this skill context, the risk is real because the code is specifically designed to call a third-party API over the network and provides no warning that the token will be embedded in the URL.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill requires a sensitive authentication token to be sent as a query parameter to an external API. Query parameters are more likely to be exposed via logs, browser history, intermediary systems, analytics, and monitoring tooling than headers or secure secret-handling mechanisms, increasing the chance of credential leakage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.