ClawHub
Back to skill

Security audit

Douyin Creator Marketplace (Xingtu) Cost Performance Analysis API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI helper for one Douyin/Xingtu lookup endpoint, with a real credential-handling caution but no hidden or unrelated behavior found.

Install only if you trust JustOneAPI and are comfortable sending JUST_ONE_API_TOKEN to api.justoneapi.com. Prefer a limited-scope or disposable token if available, avoid logging full request URLs, and rotate the token if it may have appeared in logs or error reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill includes the authentication token as a query parameter and constructs a GET request URL containing that secret. Query-string tokens are routinely exposed through logs, browser/history tooling, proxy layers, monitoring systems, error messages, and referrer leakage, so the credential may be disclosed even when HTTPS is used. In this skill, the risk is increased because the token is a required auth credential for a third-party API and there is no warning or safer transport mechanism.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The API requires a user authentication token as a query parameter, but the manifest provides no user-facing warning that sensitive credentials will be transmitted. Putting tokens in the URL query string is risky because URLs may be logged by clients, proxies, analytics systems, browser history, or server infrastructure, increasing the chance of credential exposure.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal