Douban Sync

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it exports a user's Douban collection history to local CSV files, with no evidence of hidden exfiltration or unrelated behavior.

Install this only if you want your Douban media history saved on this machine. Treat the generated CSV and state files as personal data, keep the output directory private, avoid cloud-shared/public folders unless protected, use browser mode only with a Douban session you are comfortable exposing to the scraper, and enable cron only if you intentionally want ongoing automatic sync.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill handles and persists a user's detailed media consumption history, which is personal data that may reveal preferences, beliefs, habits, or sensitive interests. Recommending automated daily sync to local CSV without any privacy warning, access-control guidance, or data-retention advice increases the chance that users will store this data insecurely or expose it unintentionally through shared folders, backups, or sync services.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal