ClawHub

九马免费抖音视频下载和转文本

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it claims: it sends user-provided Douyin video links to Jiuma to get download links and optional text extraction.

Install only if you are comfortable sending Douyin video links, resolved video URLs, task IDs, and extracted text to Jiuma's service. Avoid private, sensitive, proprietary, or token-bearing links unless you trust that service's handling and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation shows clear network-capable behavior by invoking a Python script that parses URLs and submits extraction jobs to an external service, yet the skill declares no permissions or equivalent disclosure. This creates a transparency and governance gap: users and operators may not realize the skill transmits data off-platform, making review, consent, and policy enforcement harder.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to send user-provided Douyin/share URLs and derived video URLs to an external platform for parsing and text extraction, but provides no privacy warning, consent step, or data-handling disclosure. Shared links can contain personal, tracking, or sensitive content, so silent transmission to a third party can expose user data and create compliance risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill transmits user-supplied video/share URLs to a third-party remote API without any explicit notice, consent flow, or privacy disclosure. Shared URLs may contain personal, tracking, or access-bearing information, so silent transmission can leak sensitive user data to an external service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal