ClawHub

Douyin Video Download

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Douyin video downloader, but it under-discloses some behavior and recommends a risky privileged install step.

Review before installing. Avoid the one-line sudo curl installer; install yt-dlp through a trusted package manager or a verified download, and run this only in a low-privilege environment with trusted Douyin URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises shell and environment-dependent behavior but does not declare corresponding permissions, which weakens transparency and trust boundaries for anyone installing or invoking it. In this context, the README explicitly instructs users to run shell commands and rely on external binaries, so missing permission declarations can cause underestimation of the skill's operational and security footprint.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior materially differs from the described implementation: the skill claims deduplication and yt-dlp/Playwright selection, but analysis indicates no deduplication logic and actual switching between curl and yt-dlp, with Playwright used only for parsing. This is dangerous because users may make security and reliability decisions based on inaccurate claims, especially when an undocumented downloader like curl becomes part of the execution path.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
### 2. 安装外部工具 (可选但推荐)

- **yt-dlp**: 提供最佳下载体验和更高的稳定性。
  - **Linux/macOS**: `sudo curl -L https://github.com/yt-dlp/yt-dlp/releases/latest/download/yt-dlp -o /usr/local/bin/yt-dlp && sudo chmod a+rx /usr/local/bin/yt-dlp`
  - **Windows**: 从 [yt-dlp releases](https://github.com/yt-dlp/yt-dlp/releases) 下载 `.exe` 并添加到 PATH。

## 使用
Confidence
97% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
### 2. 安装外部工具 (可选但推荐)

- **yt-dlp**: 提供最佳下载体验和更高的稳定性。
  - **Linux/macOS**: `sudo curl -L https://github.com/yt-dlp/yt-dlp/releases/latest/download/yt-dlp -o /usr/local/bin/yt-dlp && sudo chmod a+rx /usr/local/bin/yt-dlp`
  - **Windows**: 从 [yt-dlp releases](https://github.com/yt-dlp/yt-dlp/releases) 下载 `.exe` 并添加到 PATH。

## 使用
Confidence
97% confidence
Finding
sudo

Chaining Abuse

High
Category
Tool Misuse
Content
### 2. 安装外部工具 (可选但推荐)

- **yt-dlp**: 提供最佳下载体验和更高的稳定性。
  - **Linux/macOS**: `sudo curl -L https://github.com/yt-dlp/yt-dlp/releases/latest/download/yt-dlp -o /usr/local/bin/yt-dlp && sudo chmod a+rx /usr/local/bin/yt-dlp`
  - **Windows**: 从 [yt-dlp releases](https://github.com/yt-dlp/yt-dlp/releases) 下载 `.exe` 并添加到 PATH。

## 使用
Confidence
89% confidence
Finding
&& sudo

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal