ClawHub
Back to skill

Security audit

抖音学习流水线

Security checks across malware telemetry and agentic risk

Overview

This skill can do the Douyin download/transcription job it advertises, but it also handles live session cookies, installs or clones code, uses browser automation, and persists credentials in ways users should review first.

Install only if you are comfortable giving the skill Douyin session cookies and API keys, letting it fetch or run third-party downloader code, and sending media to transcription APIs. Prefer using environment variables or a secret manager, avoid pasting full browser cookies into chat, review cloned code before running it, and keep the downloader limited to specific links rather than account-wide or favorites collection modes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (35)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The bundled README documents capabilities far beyond the skill’s declared streamlined workflow, including broad scraping, favorites/profile batch download, browser fallback, and credential-dependent collection access. This kind of scope expansion increases the chance that the agent may expose or invoke functionality the user did not intend, weakening least-privilege boundaries and creating hidden data-access paths.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The README instructs installation of extra dependencies and use of a browser-based cookie capture flow that writes authenticated cookies into local configuration. In an agent skill context, that expands trust and execution surface beyond the user-facing workflow and can lead to credential handling or browser automation that users did not explicitly authorize.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The bundled README describes a much broader downloader with batch scraping, browser fallback, cookie use, database persistence, and transcription, which exceeds the skill’s declared lightweight link-processing purpose. This mismatch increases the risk of hidden or unexpected capabilities being exposed to an agent or user, undermining least privilege and informed consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The README instructs users to install a browser automation stack and perform interactive login to obtain Douyin cookies, introducing credential-handling and session-capture behavior not justified by the stated skill purpose. In an agent skill context, this is risky because it expands from simple content processing into authenticated account access and session management.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This code fetches runtime configuration from a third-party GitHub URL, which makes the skill non-self-contained and introduces a supply-chain trust boundary at execution time. If that remote file is changed, unavailable, or maliciously tampered with, the module can be redirected to attacker-controlled behavior without any local code change or user awareness.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The module performs outbound requests first to GitHub for configuration and then to a remotely supplied endpoint to obtain an msToken, expanding network access beyond the stated video-processing purpose. Because the second destination is controlled by remote config, an attacker who influences that config can cause requests, headers, and payload metadata to be sent to arbitrary hosts, creating SSRF-like and exfiltration risk.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The auto-cookie logic searches several local directories for cookies.json and .cookies.json and silently loads them when auto_cookie is enabled or cookie=auto is set. That broad, implicit credential discovery can cause the skill to consume unrelated local session cookies without the user's precise intent, which is risky in an agent skill that may run in varied environments and handle sensitive platform accounts.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This client exposes capabilities to enumerate user posts, likes, mixes, music, collections, and profile data that materially exceed the declared skill purpose of parsing/downloading a provided Douyin link or extracting text from it. In this skill context, the extra collection surface increases privacy risk and enables bulk harvesting of account data unrelated to the user’s immediate request.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The browser fallback launches Playwright, supports manual login/captcha completion, scrapes IDs from rendered pages and API responses, and continues collecting data beyond simple URL parsing. Because the manifest presents a streamlined Douyin processing workflow, this undisclosed interactive scraping path is deceptive and increases the chance of collecting authenticated or broader account data than the user intended.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code generates X-Bogus/a_bogus signatures and emulates browser fingerprints to access Douyin endpoints in ways designed to satisfy or evade anti-bot checks. In a skill whose stated purpose is ordinary link processing, such anti-detection logic raises the risk of stealthy scraping and bypass of platform controls, making the behavior more suspicious and harder for users to understand.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This utility explicitly harvests Douyin authentication cookies after manual login, attempts to recover additional tokens from requests, storage, and page state, and then persists them to disk and optionally into YAML config. Those cookies and tokens can enable authenticated session reuse or account access, and the skill context makes this more dangerous because the advertised workflow is downloader/transcript/copywriting automation rather than credential collection, so the data collection exceeds what many users would reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This file explicitly implements Douyin anti-bot request-signing (a_bogus generation), RC4-based UA processing, and synthetic browser fingerprint generation so requests appear to originate from a real browser. In the context of a user-facing pipeline whose stated purpose is downloading/parsing/transcribing content, this goes beyond ordinary interoperability and materially enables stealthy automation and circumvention of platform access controls, making abuse easier.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script is presented as an environment self-check, but it performs state-changing actions by automatically installing yt-dlp and cloning an external repository. That behavior expands the trust boundary from inspection to code acquisition/execution preparation, which is risky because users may run a 'check' script expecting it to be non-invasive.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The script tells users ffmpeg requires confirmation before installation, but silently auto-installs or clones other dependencies. This inconsistency can mislead users about the script's safety model and increase the chance they approve or run it without understanding that it modifies the system and fetches remote code.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script automatically clones a third-party GitHub repository and then executes its Python entrypoint as part of normal operation. This creates a software supply-chain risk because unreviewed remote code can be fetched at runtime and immediately run with the user's environment, network access, and potentially access to configured Douyin cookies.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to ask users for sensitive authentication material such as API keys and Douyin cookies, but does not provide clear privacy warnings, scope limitations, or secure handling requirements. Collecting login cookies in plain chat can expose active session credentials that may allow account misuse or unauthorized scraping if intercepted, logged, or reused.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill states that missing dependencies will be installed automatically and repositories may be cloned, but it does not clearly warn users that this changes the local system and may execute third-party code. Automatic installation from package managers or GitHub expands the attack surface and can introduce supply-chain risk or unexpected privilege use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation tells users to log in and then automatically writes Douyin cookies to the local config, but does not clearly warn that these are reusable authentication credentials. Storing session cookies in plaintext config materially increases risk of account compromise if the workspace, logs, backups, or generated files are exposed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises video transcription using OpenAI Transcriptions API without clearly stating that downloaded audio/video content may be sent to a third-party service for processing. This creates a privacy and compliance risk because users may unknowingly transmit copyrighted, personal, or otherwise sensitive media off-platform.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README states that after login the program will automatically write cookies into the configuration file, but does not clearly warn that these are sensitive session credentials. Storing live authentication tokens in plaintext config materially increases the chance of credential leakage, account takeover, or accidental reuse by other tools.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README enables optional transcription via the OpenAI Transcriptions API but does not clearly disclose that downloaded media/audio will be sent to a third-party external service. This creates a privacy and compliance risk, especially if videos contain personal data, copyrighted content, or confidential speech.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code sends a JSON payload and the caller's User-Agent to external services without any visible consent or disclosure path in this module. In the context of a user-facing Douyin workflow, hidden transmission to GitHub and a remote mssdk service is more dangerous because users would reasonably expect local parsing/downloading behavior, not additional third-party data sharing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The config template exposes multiple sensitive credential fields for API keys and Douyin session cookies without warning users not to hardcode real secrets or commit populated files. In this skill's context, the workflow is designed for scraping/downloading and optional transcription, so operators are likely to paste live tokens into config files, increasing the risk of credential leakage, account takeover, and unauthorized API usage.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Cookies obtained in the automated browser session are merged back into the API client's cookie jar, which can silently upgrade later API requests with authenticated browser state. That creates an undisclosed privilege escalation path where login or captcha-completed session data may be reused for broader API access than the user expected.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code uploads the local audio/video file to a third-party transcription endpoint using an Authorization bearer token, but this file alone provides no user notice, consent gate, redaction, or policy check before transmission. In a pipeline that processes user-supplied Douyin links and media, this creates a real privacy and data-governance risk because potentially sensitive voice content is sent off-platform automatically.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.