Back to skill

Security audit

Douyin Video Forge Felix

Security checks across malware telemetry and agentic risk

Overview

The skill matches its short-video production purpose, but needs Review because it can automatically create recurring jobs that keep scraping, downloading, calling APIs, and writing files without clear opt-in or removal controls.

Install only if you are comfortable with a skill that can collect Douyin content, download and transcribe third-party videos, call Kling with your environment-provided API keys, create media files locally, and schedule future automated runs. Before using it for a multi-day plan, require an explicit schedule review, confirm where jobs and outputs are written, and make sure you know how to disable or delete the created jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document simultaneously claims compliance with Douyin robots.txt and terms of use while elsewhere planning anti-detection, anti-blocking, fingerprint randomization, proxy rotation, cookie pools, and CAPTCHA handling. That contradiction is a real trust and compliance risk: it normalizes deceptive scraping behavior and could lead operators to bypass platform safeguards under a false claim of legitimacy.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill creates persistent scheduled jobs for future autonomous execution, which is a significant behavior beyond a one-shot content-production workflow. Persistence increases risk because the skill can continue performing network access, data collection, media generation, and local writes after the initial interaction, potentially without ongoing user awareness.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Automatically creating Cron tasks is not essential to the core user-visible function of drafting and producing Douyin videos, and it introduces persistence plus repeated execution risk. In context, this makes the skill more dangerous because future runs may repeatedly scrape, download, call APIs, and consume local/network resources without a fresh per-run approval.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README describes the skill as handling the entire short-video production pipeline from natural-language requests, but it does not define clear activation boundaries or require explicit confirmation before browsing, downloading, transcribing, or generating files. In an agent environment, overly broad invocation scope can cause accidental triggering during ordinary conversation and lead to unintended external actions.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The example prompts are phrased as normal conversational requests like asking to check today's skincare trends or analyze an account, which can overlap with routine chat. In an agent setting, that increases the chance the skill activates unintentionally and performs browsing, scraping, downloading, or analysis without the user realizing those tool actions will occur.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises browser scraping, competitor analysis, video downloading, local transcription, API generation, and file output, but it does not warn users about privacy, copyright, account-policy, storage, bandwidth, or local system effects. Because these operations can process third-party content and produce persistent artifacts, the missing safety disclosure increases the risk of unsafe or noncompliant use.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation triggers are broad terms like short-video production, video scripts, hotspot analysis, and related topics, which can unintentionally activate the skill in ordinary conversations. Because this skill can run shell/network operations and start data collection workflows, accidental activation increases the chance of unexpected side effects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill directs automatic browser collection, video downloads, and local media processing without clearly warning the user about privacy implications, platform-data handling, or local file creation. In this context, the skill processes third-party content and comments, which can implicate compliance, storage, and consent concerns if done silently.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill describes automatic creation of Cron jobs and writes to a persistent jobs file without a clear warning about system persistence. This is dangerous because it changes system behavior beyond the current session and can keep executing networked and file-writing actions later, which users may not expect or notice.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installer unconditionally deletes any existing skill directory with `rm -rf "$SKILL_DIR"` before reinstalling. While the target path is constrained to the expected OpenClaw skills folder, this is still a destructive operation without confirmation or backup, so a user can lose local modifications or data stored in that directory.

Ssd 4

Medium
Confidence
99% confidence
Finding
The roadmap explicitly describes an access-escalation path for browser automation: anti-detection browser use, fingerprint randomization, proxy rotation, multi-account session management, cookie pools, and automated CAPTCHA handling. In the context of a scraping-heavy skill, these features materially increase the ability to evade platform defenses and facilitate unauthorized mass collection or account abuse.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
README.md:179