Back to skill

Security audit

抖音视频解析

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but its license activation code exposes powerful remote database credentials and updates a payment database directly from the user-installed package.

Install only if you trust the publisher and accept the no-watermark Douyin extraction, local quota file, and remote activation behavior. The publisher should remove and rotate the embedded database credentials and replace direct MySQL activation with a narrow HTTPS backend API before broad use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The CLI exposes a normal, unauthenticated `reset` command that directly calls `resetUsage()` and clears usage limits, while the help text only describes it as debug-only. That makes quota and licensing enforcement trivially bypassable by any user with local access to the tool, undermining the product's access-control and payment model.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This licensing module contains hardcoded remote MySQL access to an external payment database and performs activation-state mutation from client-side code. Embedding privileged database credentials in distributable code lets anyone extract them and directly query or modify the payment system, turning a licensing check into a full backend compromise risk.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The activated and expired key branches return allowed: true even when reporting the key is invalid or expired. This can cause enforcement bypasses in callers that trust the allowed flag, enabling unauthorized access to functionality despite failed license validation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The CLI exposes a public `reset` command that directly calls `resetUsage()` with no authentication, authorization, environment check, or other guard. In context, this defeats the quota/licensing model by allowing any user to reset usage counters, enabling abuse of the service and undermining payment or rate-limit controls.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file hardcodes live MySQL connection details, including a root username and plaintext password, for an external payment database. Embedded secrets can be extracted by anyone with source or package access, enabling unauthorized database access, tampering with activation records, data theft, or broader infrastructure compromise if the database is Internet-reachable.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The activation logic falls back to locally embedded license keys whenever remote validation fails, which undermines the trust model of online activation. An attacker can trigger database failure conditions or simply reuse the published backup keys to obtain paid access without authorization.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The skill documentation states that usage records are stored in a local state file, but it does not clearly warn users that invoking the tool will persist device-linked usage data on disk. This can create an unexpected privacy and transparency issue, especially on shared systems or managed environments where local artifacts may expose activity history or identifiers.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool explicitly accepts an optional device_id and uses it for quota tracking and license activation, but this file exposes no notice, consent flow, minimization, or disclosure to users about collection and use of a tracking identifier. In an agent-skill context, hidden tracking can enable persistent correlation of user activity across requests and may create privacy and compliance risk even if the identifier is not directly sensitive on its own.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code sends activation codes and device identifiers to a remote database without any visible disclosure or consent mechanism in this file. Even if intended for licensing, silent transmission of device-linked data creates privacy and compliance risk, especially in a distributed client component.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The function performs server-side requests using user-supplied input (`realUrl`) with only minimal pattern extraction and no allowlisted host validation before the first outbound request. In an agent/skill context, this can enable SSRF-like behavior or unintended disclosure of user-provided links to external services, especially if untrusted text is passed in and the fallback `|| url` preserves arbitrary URLs.

Missing User Warnings

High
Confidence
88% confidence
Finding
The activation flow transmits a device identifier and license key usage data to a remote MySQL server directly from client code, with no visible notice, consent, or brokered API layer. Direct client-to-database access increases exposure of infrastructure details and may leak device-linked licensing data while also expanding the attack surface if credentials are recovered.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.