ClawHub

Douyin Search

Security checks across malware telemetry and agentic risk

Overview

This skill appears to automate logged-in Douyin comment harvesting, but it asks for reusable account cookies, stores browser session state, and uses avoidable shell-based browser automation patterns.

Only install after reviewing the cookie-handling workflow carefully. Use a throwaway/test account if possible, avoid pasting raw cookies into chat, delete any saved cookie or browser-state files after use, and be aware that the scraping and anti-detection behavior may violate Douyin rules or trigger account restrictions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""通过临时文件执行 ab eval(避免 shell 转义)"""
    js_file = str(TMP_DIR / "_ab_eval_tmp.js")
    Path(js_file).write_text(js)
    return subprocess.run(
        f"agent-browser eval \"$(cat {js_file})\"",
        shell=True, capture_output=True, text=True, timeout=timeout,
    )
Confidence
97% confidence
Finding
return subprocess.run( f"agent-browser eval \"$(cat {js_file})\"", shell=True, capture_output=True, text=True, timeout=timeout, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
js = HARVEST_JS_AGGRESSIVE
        js_file = str(TMP_DIR / "_harvest_oneshot.js")
        Path(js_file).write_text(js)
        r = subprocess.run(
            f"agent-browser eval \"$(cat {js_file})\"",
            shell=True, capture_output=True, text=True, timeout=120,
        )
Confidence
97% confidence
Finding
r = subprocess.run( f"agent-browser eval \"$(cat {js_file})\"", shell=True, capture_output=True, text=True, timeout=120, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
js_file = str(TMP_DIR / "_harvest_step.js")
        Path(js_file).write_text(js)
        # 初始化(第一次 eval 走初始化分支)
        r = subprocess.run(
            f"agent-browser eval \"$(cat {js_file})\"",
            shell=True, capture_output=True, text=True, timeout=15,
        )
Confidence
97% confidence
Finding
r = subprocess.run( f"agent-browser eval \"$(cat {js_file})\"", shell=True, capture_output=True, text=True, timeout=15, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
})()
        """
        Path(str(TMP_DIR / "_harvest_flush.js")).write_text(flush_js)
        r = subprocess.run(
            f"agent-browser eval \"$(cat {TMP_DIR}/_harvest_flush.js)\"",
            shell=True, capture_output=True, text=True, timeout=10,
        )
Confidence
96% confidence
Finding
r = subprocess.run( f"agent-browser eval \"$(cat {TMP_DIR}/_harvest_flush.js)\"", shell=True, capture_output=True, text=True, timeout=10, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
stalled = 0
        total_added = 0
        for rnd in range(max_rounds):
            r = subprocess.run(
                f"agent-browser eval \"$(cat {js_file})\"",
                shell=True, capture_output=True, text=True, timeout=20,
            )
Confidence
97% confidence
Finding
r = subprocess.run( f"agent-browser eval \"$(cat {js_file})\"", shell=True, capture_output=True, text=True, timeout=20, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
err(f"  round {rnd+1} eval 失败: {r.stderr[:100]}")
                # 重试 1 次
                time.sleep(2)
                r = subprocess.run(
                    f"agent-browser eval \"$(cat {js_file})\"",
                    shell=True, capture_output=True, text=True, timeout=20,
                )
Confidence
97% confidence
Finding
r = subprocess.run( f"agent-browser eval \"$(cat {js_file})\"", shell=True, capture_output=True, text=True, timeout=20, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
}})
    .filter(Boolean)
)""")
    r = subprocess.run(
        f"agent-browser eval \"$(cat {eval_file})\"",
        capture_output=True, text=True, timeout=15, shell=True,
    )
Confidence
98% confidence
Finding
r = subprocess.run( f"agent-browser eval \"$(cat {eval_file})\"", capture_output=True, text=True, timeout=15, shell=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
const avatar = !!document.querySelector('[class*="avatar"]:not([class*="placeholder"])');
        return JSON.stringify({title, captcha, loginPanel, userInfo, avatar});
    })()"""
    r = subprocess.run(
        f"agent-browser eval \"$(cat <<'EOF'\n{check_js}\nEOF\n)\"",
        capture_output=True, text=True, timeout=10, shell=True,
    )
Confidence
98% confidence
Finding
r = subprocess.run( f"agent-browser eval \"$(cat <<'EOF'\n{check_js}\nEOF\n)\"", capture_output=True, text=True, timeout=10, shell=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
err("cookie 解析失败")
            sys.exit(1)
        for name, value in cookie_parts:
            subprocess.run(["agent-browser", "cookies", "set", name, value,
                          "--domain", ".douyin.com", "--path", "/"],
                         capture_output=True)
        # 2) save state
Confidence
84% confidence
Finding
subprocess.run(["agent-browser", "cookies", "set", name, value, "--domain", ".douyin.com", "--path", "/"], capture_output=True)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The changelog explicitly documents anti-detection scraping behavior such as '人类模式', jitter between requests, and techniques to reduce platform risk controls, but does not pair this with any warning about account bans, CAPTCHA escalation, or terms-of-service/legal risk. In the context of a Douyin scraping skill, this meaningfully increases the likelihood that users will operate the tool in a way that evades platform safeguards without informed consent, making misuse easier and safer for the operator.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The testing instructions explicitly tell contributors to use real cookies and perform live Douyin scraping, but they do not clearly warn about account exposure, privacy implications, or the risk of triggering platform anti-abuse controls. In this skill’s context, real authenticated session data is sensitive, and normalizing its use in contributor workflows increases the chance of credential leakage, unauthorized collection of personal data, or account sanctions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The setup flow tells the agent to ask the user for full Douyin cookie contents and write them to disk, but it does not present a strong warning that these cookies are authentication secrets equivalent to account access. Handling them casually through chat or agent workflows increases the risk of credential exposure, retention in logs, or reuse beyond the user's intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script converts live Douyin authentication cookies and writes them to disk, enabling long-lived local storage of bearer-style session secrets. Even with chmod 600, placing cookies in /tmp and not clearly warning users increases the chance of credential theft, accidental disclosure, backup leakage, or reuse by other local processes running as the same user.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code reconstructs the user's authentication cookies and sends them in an HTTP request to Douyin to validate login state. While the destination is the intended service over HTTPS, this still transmits reusable authentication material without a prominent warning or consent step, which is sensitive in a scraping skill that handles login sessions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Persisting and replaying agent-browser state stores reusable login session data that can authenticate future browser runs. In the context of a content-scraping skill that explicitly relies on logged-in sessions for comments, this materially increases the risk of account compromise if the state file is copied, exposed, or reused outside the user's intent.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to solicit full Douyin cookies from the user and save them locally. Those cookies can authenticate as the user, so collecting them through the agent creates a direct secret-handling and account-takeover risk if the chat, storage location, or host environment is compromised.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal