Doubao Capture

Security checks across malware telemetry and agentic risk

Overview

The skill has a reasonable Doubao subtitle-capture purpose, but its plugin entry points to an absolute Python file outside the reviewed package.

Review before installing. Ask the publisher to include the Python capture script inside the package and reference it with a package-relative entry path. Only use it with a verified Doubao translation window handle and an output directory you expect.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: This markdown file describes the tool only as 'Capture translated subtitles from Doubao' and places it in a broader workflow, but it does not specify concrete trigger phrases, activation boundaries, or negative examples. That ambiguity can cause unintended invocation whenever a user mentions Doubao or subtitle capture in a general context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal