抖音视频快速转文字

Security checks across malware telemetry and agentic risk

Overview

The skill has a legitimate Douyin transcription purpose, but its helper can run unsafe shell commands from supplied links or paths and its privacy/offline claims are overstated.

Install only if you are comfortable with local shell execution and networked Douyin-link processing. Use trusted links and file paths only, treat the privacy/offline claims as incomplete, and prefer a revised version that removes shell=True, passes subprocess arguments as lists, validates inputs, and clearly documents output locations and cleanup.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def run_command(cmd, cwd=None, timeout=300): """运行命令并返回输出""" try: result = subprocess.run( cmd, shell=True, capture_output=True,
Confidence: 97% confidence
Finding: result = subprocess.run( cmd, shell=True, capture_output=True, text=True, cwd=cwd, timeout=timeout )

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill clearly instructs the agent to invoke shell commands, read generated transcript files, and write artifacts such as audio.wav and Whisper output, yet it declares no permissions. This creates a transparency and consent problem because users and the platform may underestimate the skill's ability to execute commands and modify local state.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The documented behavior materially differs from the stated privacy and locality claims: it depends on douyin-mcp, downloads remote media, and supports arbitrary local video files beyond the advertised use case. Misrepresenting these behaviors can cause users to provide sensitive links or files under false assumptions about offline operation, privacy, and scope.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: Claiming 'zero network dependency' and 'offline usable' is inconsistent with a workflow that retrieves metadata via douyin-mcp and downloads media from remote Douyin resources. This can mislead users in restricted or sensitive environments into initiating network activity they did not intend to allow.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The statement that video/audio never leaves the local machine conflicts with the documented process of obtaining remote video URLs and downloading media over the network. Even if transcription is local, the privacy claim is overstated and may cause users to trust the skill with sensitive content under inaccurate assumptions.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: Broad trigger phrases such as '转文字' or '提取文案' can cause the skill to activate in contexts unrelated to Douyin, increasing the chance of unintended command execution, downloads, or local file processing. In a skill that invokes shell tools and writes files, accidental triggering raises the operational risk materially.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The workflow omits an explicit warning that it will download remote media and write local artifacts like audio.wav and transcript files. Without clear notice and consent, users may unknowingly permit network activity and persistence of potentially sensitive content on disk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal