ClawHub

Douyin Automation

Security checks across malware telemetry and agentic risk

Overview

The skill matches its Douyin upload purpose and discloses local session storage, but saved cookies and default publishing require care.

Install only if you want a CLI or agent to reuse a saved Douyin login and publish on your behalf. Keep the skill directory private, use --no-publish for drafts, and run the clear command when you no longer want the saved Douyin session on disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persists authenticated Douyin session cookies to disk, which are bearer credentials that can let anyone with file access reuse the account session. Although the file is chmod'ed to 0600, the skill provides no explicit user-facing disclosure, consent flow, encryption at rest, or retention controls, so accidental exposure, backup leakage, or local compromise could lead to account takeover.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill reads stored session cookies from disk and injects them into a new browser session, enabling silent reauthentication without an interactive login. This behavior increases the blast radius of any stolen cookie file and reduces user visibility into when privileged account actions are being performed.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"manage": "node scripts/manage.js"
  },
  "dependencies": {
    "puppeteer": "^23.11.1"
  }
}
Confidence
83% confidence
Finding
"puppeteer": "^23.11.1"

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal