ClawHub
Back to skill

Security audit

Douyin Creator Marketplace (Xingtu) Conversion Resources API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI helper for one Douyin Xingtu read-only API endpoint, with a credential-handling caveat because the token is placed in the request URL.

Install only if you trust JustOneAPI and are comfortable sending JUST_ONE_API_TOKEN to api.justoneapi.com. Avoid logging or sharing full request URLs, use the least-privileged token available, and rotate the token if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The API requires a sensitive authentication token to be supplied in the URL query string. Query parameters are commonly exposed through browser history, intermediary logs, reverse proxies, analytics tooling, referrer headers, and debugging output, so this design increases the chance of credential leakage even when HTTPS is used. In this skill context, the risk is real because the skill definition directly encourages callers to place the token in the least safe transport location without any warning or safer alternative.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly requires a user authentication token in a query parameter but provides no warning about secure handling, storage, redaction, or transmission. Query-string tokens are especially prone to leakage through logs, browser history, analytics, referrers, and debugging output, so omitting privacy guidance increases the chance that downstream users will expose credentials.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.