Doubao Launch

Security checks across malware telemetry and agentic risk

Overview

This skill has a plausible Doubao-launch purpose, but it would execute an unbundled hardcoded Python script, so users cannot verify what it will actually do.

Install only if you control and have inspected the Python file at the configured /mnt/h/AI/... path and are comfortable with it launching Doubao and automating a visible Windows desktop session. Expect the skill to be machine-specific and unreliable or unsafe to run on systems where that path could point to an unknown file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 88% confidence
Finding: For a markdown file, the description should warn about behaviors that may affect the user's system state or active desktop session. Although later notes mention visible desktop requirements, the tool description itself simply says it will launch the Doubao application without any user-facing caution about taking over the GUI or opening an external app.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal