抖音评论分析

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Douyin comment-analysis skill that uses an external AI Skills API, with no evidence of hidden local access, persistence, destructive behavior, or unrelated data collection.

Install only if you are comfortable sending Douyin links and resulting analysis requests to ai-skills.ai under your API key. Prefer explicit invocation for specific Douyin analysis tasks, keep the API key in environment variables or a secret manager, and avoid submitting private or regulated business material unless the service’s data terms are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The skill instructs users to supply an API key via environment variables but does not include any warning about secure storage, least privilege, logging exposure, or avoiding hardcoding/secrets in shared command history. This can lead to accidental credential disclosure in shell history, CI logs, screenshots, or copied examples, enabling unauthorized use of the linked service.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill enables implicit invocation without any trigger phrases, scope restrictions, or user-confirmation guardrails. That can cause the assistant to automatically route user requests into this external skill based on loose relevance, increasing the chance of unintended data exposure or unanticipated analysis on user-provided Douyin content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal