Back to skill

Security audit

Douyin Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed code-review helper; its broad review permissions are high-trust but aligned with its purpose.

Install only if you are comfortable with a review helper that can invoke local LLM CLIs on your code diff. For sensitive repositories, prefer Codex review directly or run the helper with --no-yolo and disable fallback reviewers or auto-tests unless you intentionally want them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill claims it does not rely on scripts and is performed directly by the agent, yet it documents a script-based fallback that reads local files, cleans text, generates prompts, and writes analysis output. This mismatch is dangerous because operators and policy systems may grant trust based on the declared low-risk behavior while the actual supported workflow introduces additional execution and file-handling surfaces.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.