ClawHub

Douyin Data Exporter

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs review because it exports sensitive account and optional advertising data with bearer tokens while its disclosure, permissions, and file containment are under-scoped.

Install only if you intend to export both Douyin video data and, optionally, BOSS/Dou+ advertising order data. Use short-lived least-privilege tokens, avoid passing long-lived bearer tokens directly in command history, use simple account names without slashes or path characters, and check where the files are written before running this on sensitive accounts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Tainted flow: 'headers' from os.getenv (line 102, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
headers = {"Authorization": f"Bearer {token}", "Accept": "application/json, application/vnd.ms-excel"}
    params = {"customerId": customer_id}
    try:
        resp = requests.get(url, headers=headers, params=params, timeout=60, stream=True)
        print(f"请求URL: {resp.url}", file=sys.stderr)
        resp.raise_for_status()
        content_type = resp.headers.get('Content-Type', '').lower()
Confidence
84% confidence
Finding
resp = requests.get(url, headers=headers, params=params, timeout=60, stream=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation indicates access to environment variables, filesystem reads/writes, and external network services, but the skill declares no permissions. This creates a transparency and consent problem: users and the platform cannot accurately assess the capability surface before installation or execution, increasing the risk of unexpected data access and exfiltration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is described as exporting Douyin homepage video data, but the documentation also describes collecting and exporting Dou+/BOSS advertising order data from a separate external service and producing broader reports. This mismatch can mislead users into providing sensitive business tokens or approving broader data collection than they intended, which materially increases the risk of unauthorized access to advertising or account data.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The implementation materially exceeds the declared purpose of exporting homepage video data by also accessing and exporting Dou+ advertising/lead order data from a different business endpoint. This scope mismatch is dangerous in agent ecosystems because users and orchestrators may grant the skill access based on a narrower description, enabling unauthorized collection of more sensitive business data than expected.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code adds a second credentialed capability by accepting a separate Dou+ bearer token and customer ID for exporting business data unrelated to homepage videos. This increases risk because it invites operators to supply additional sensitive credentials to a skill whose advertised purpose does not justify them, creating a privilege-expansion and data-minimization failure.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation states that exported data is written to a local workspace path but does not warn that the files may contain sensitive account, video, or advertising-related information that will persist on disk. Persistent local storage without disclosure increases the chance of unintended retention, later exposure to other local users or tools, and mishandling of sensitive exports.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill instructs users to obtain API tokens from a browser or platform backend and supply them to the tool, but it does not provide adequate guidance on credential sensitivity, safe storage, scope, or revocation. Browser-derived bearer tokens can grant significant access, and mishandling them could expose advertising, account, or API data to unauthorized parties.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal