Back to skill

Security audit

Douyin Fetcher

Security checks across malware telemetry and agentic risk

Overview

This Douyin downloader is mostly understandable, but it adds under-disclosed transcription, storage, cleanup, and credential/API behavior that users should review before installing.

Install only if you are comfortable with the agent using a browser profile, downloading Douyin media, running curl/ffmpeg, and potentially sending extracted audio to a local ASR service. Review or remove the stale TikHub API path before use, and require explicit approval for credential use, transcript saving, video archiving, file moves, and cleanup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is described as a Douyin video downloader, but the later sections expand behavior into transcript generation, knowledge-base writes, file retention rules, and cleanup logic. That scope creep is dangerous because downstream agents may invoke it expecting only download behavior, while it actually manages additional data flows and persistent storage.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The markdown introduces sending extracted audio to an ASR endpoint even though the skill is advertised as a video-fetching module. This creates an undeclared data exfiltration path for media-derived content and broadens the trust boundary from downloading to local service interaction and transcription processing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instructions direct downloading files, creating intermediate artifacts, merging media, and later deleting or moving files, but do not present an explicit warning that the skill changes the local filesystem. This can surprise users and agents, increasing the risk of unintended overwrites, persistence of sensitive media, or destructive cleanup actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends audio content to an HTTP ASR endpoint without any privacy notice, data-handling explanation, or user consent step. Even if the endpoint is localhost, the transmitted audio may contain sensitive speech, and the lack of disclosure makes accidental privacy violations more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.