Back to skill

Security audit

Douyin Creator Marketplace (Xingtu) Creator Link Metrics API

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, but it requires an API token in the request URL, which can expose credentials through logs or copied URLs.

Review before installing. Use only a low-scope, revocable token for this skill, avoid sharing logs or full request URLs, and prefer a version that sends credentials in an Authorization header or clearly documents and redacts URL-based tokens.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill defines the authentication token as a query parameter and then appends all query parameters directly into the request URL. Query-string tokens are commonly exposed through logs, browser/history equivalents, proxy and CDN logs, monitoring tools, error messages, and downstream telemetry, increasing the chance of credential leakage even when HTTPS is used. In this skill context, the risk is more concrete because the token is a required credential for a third-party API call and the code provides no warning or safer alternative.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Passing a required authentication token in the query string is dangerous because query parameters are commonly logged by servers, proxies, monitoring systems, browser history, and intermediary infrastructure. Even when sent over HTTPS, this increases the chance of credential exposure and replay by anyone with access to logs or captured URLs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The operation documentation requires an authentication token in a query parameter, which is a sensitive transport pattern because query strings are commonly logged by servers, proxies, analytics tools, browser history, and monitoring systems. In an API skill context, this increases the chance of credential disclosure and replay if users or downstream tooling pass the token directly as documented.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.