Back to skill

Security audit

Douyin Creator Marketplace (Xingtu) Recommended Videos API

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a coherent JustOneAPI/Douyin API helper, but it handles a user API token through URL query parameters without clear enough user-facing warning about that exposure risk.

Install only if you trust JustOneAPI with the token and understand that the token may appear in request URLs. Use a scoped, revocable token if possible, avoid sharing logs or command output that could include URLs, and revoke or rotate the token if you suspect exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill transmits the authentication token as a URL query parameter (`token`), which is commonly logged by intermediaries such as reverse proxies, browser history, CLI history wrappers, observability systems, and backend access logs. Even though the request uses HTTPS, query-string secrets have a much larger exposure surface than headers or request bodies, making accidental credential disclosure significantly more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill requires a user authentication token as a query parameter for an external API call, but the manifest provides no user-facing warning that credentials will be transmitted to a third-party service. This can lead to inadvertent disclosure of sensitive tokens, especially if users do not understand the trust boundary or if query strings are logged by clients, proxies, or servers.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The documentation explicitly requires a user authentication token in a query parameter but provides no warning about safe handling, storage, or transmission of that credential. Query parameters are commonly exposed in logs, browser history, analytics, proxies, and referrer headers, so documenting token use this way without cautions increases the chance of credential leakage.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.