Security audit

Douyin Creator Marketplace (Xingtu) Creator Visibility Status API

Security checks across malware telemetry and agentic risk

Overview

This skill is a focused JustOneAPI helper, but users should protect the API token because the backend expects it in the request URL.

Install only if you trust JustOneAPI and need this specific endpoint. Use a limited or revocable token if available, avoid sharing full request URLs or logs, and rotate the token if it may have appeared in logs, terminal history, screenshots, or error reports.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Passing an authentication token in a query parameter is risky because query strings are commonly logged by servers, proxies, client libraries, browser history, and observability systems. Even over HTTPS, the token can be exposed through these secondary channels, enabling credential theft and unauthorized API access if logs or traces are compromised.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.