ClawHub
Back to skill

Security audit

Douyin Creator Marketplace (Xingtu) Video Distribution API

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, but it passes its API token in URLs, which can leak credentials through logs or monitoring systems.

Review this before installing. Only use low-privilege, revocable tokens; avoid using it where URLs are logged; rotate any token that may have appeared in logs; and prefer a version that sends credentials in an Authorization or other secure header if the provider supports it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill places the authentication token in a query parameter and appends it to the request URL, which exposes the token to URL logging, browser/history capture, proxy logs, monitoring systems, and error telemetry beyond the intended recipient. In this API wrapper context, the risk is elevated because the token is a required credential for every call and the code provides no warning or safer alternative such as an Authorization header.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Passing an authentication token in a URL query parameter is dangerous because query strings are commonly logged by clients, proxies, gateways, browser history, observability systems, and server access logs. Even over HTTPS, the token may be exposed through secondary storage or monitoring infrastructure, enabling credential leakage and unauthorized API access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.