Security audit

Douyin Mini Game Server Api

Security checks across malware telemetry and agentic risk

Overview

This appears to be a documentation/reference skill for Douyin mini-game server APIs, not a tool that secretly accesses credentials or runs code.

Install this as an API reference skill if you are comfortable with a skill that helps reason about Douyin mini-game backend authentication and OpenAPI workflows. Do not paste real app secrets or access tokens into chat unless you explicitly intend the agent to use them, and prefer local environment variables or your normal secrets workflow for live credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Credential Access

High

Category: Privilege Escalation
Content: --- name: douyin-mini-game-server-api description: Comprehensive skill reference for Douyin (TikTok China) mini-game server-side OpenAPI. Covers HTTPS API interfaces for backend developers — access token management, login credential verification, user data storage, QR code generation, subscription messages, gift redemption, Link/Schema generation, dynamic sharing, game group tags, and all server-side `mgplatform/api` endpoints. Use when developing, debugging, or asking questions about Douyin mini-game backend APIs — especially the server-side login flow (code2Session/checkSessionKey/resetSessionKey), access token (getAccessToken/genStableAccessToken), user cloud storage (setUserStorage/removeUserStorage), QR codes (createQRCode), subscription notifications, gift reward verification, or any OpenAPI SDK integration. --- > 基于抖音小游戏服务端 OpenAPI 官方文档生成，生成时间 2026-06-24
Confidence: 70% confidence
Finding: access token

Credential Access

High

Category: Privilege Escalation
Content: --- name: douyin-mini-game-server-api description: Comprehensive skill reference for Douyin (TikTok China) mini-game server-side OpenAPI. Covers HTTPS API interfaces for backend developers — access token management, login credential verification, user data storage, QR code generation, subscription messages, gift redemption, Link/Schema generation, dynamic sharing, game group tags, and all server-side `mgplatform/api` endpoints. Use when developing, debugging, or asking questions about Douyin mini-game backend APIs — especially the server-side login flow (code2Session/checkSessionKey/resetSessionKey), access token (getAccessToken/genStableAccessToken), user cloud storage (setUserStorage/removeUserStorage), QR codes (createQRCode), subscription notifications, gift reward verification, or any OpenAPI SDK integration. --- > 基于抖音小游戏服务端 OpenAPI 官方文档生成，生成时间 2026-06-24
Confidence: 70% confidence
Finding: access token

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal