Back to skill

Security audit

Douyin Creator Marketplace (Xingtu) Creator Search API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI search wrapper, with the main caution that its API token is sent in the request URL.

Install only if you trust JustOneAPI and are comfortable using JUST_ONE_API_TOKEN for this endpoint. Because the token is sent as a URL query parameter, avoid sharing command output, logs, or request URLs, and rotate the token if you think those URLs may have been recorded.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill requires an authentication token as a query parameter and later appends all query parameters directly into the URL. Query-string tokens are commonly exposed through logs, browser/history systems, monitoring tools, proxies, and referrer leakage, so placing credentials in the URL is an unsafe design even when HTTPS is used. In this skill context, the token is the primary credential for a third-party API, which makes accidental disclosure materially harmful.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Passing a required authentication token in the query string is risky because query parameters are commonly logged by clients, proxies, gateways, browser history, observability tools, and server access logs. Even over HTTPS, accidental exposure through logs or shared URLs can leak credentials and allow unauthorized access to the underlying Douyin/Xingtu account or API resources.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Documenting an authentication token as a URL query parameter is a real security weakness because query strings are commonly exposed through server logs, browser history, analytics tooling, proxy logs, and referrer headers. In this skill context, the endpoint is an authenticated creator-search API, so users may copy or invoke requests in ways that unintentionally leak long-lived credentials to multiple systems.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.