ClawHub

gnview-api-downloader

Security checks across malware telemetry and agentic risk

Overview

This skill is a Douyin API guide, but it tells users to send full logged-in Douyin cookies to an external HTTP API, which can expose account sessions.

Install or use this only if you fully trust the API backend and understand that a Douyin cookie can act like an active login session. Do not send real account cookies to the documented HTTP endpoint; use a verified HTTPS service you control, a low-risk test account, and rotate/logout if a cookie is exposed. Only collect Douyin data you are authorized to access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly supports Douyin data collection and Cookie updates, which involve sensitive session data and potentially privacy-impacting scraping activity, but it provides no warning about handling credentials, user consent, account risk, or lawful use. In this context, the omission increases the chance that users will expose session cookies or misuse the tool in ways that compromise accounts or violate privacy expectations.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation explicitly describes how to enumerate a Douyin user's full posted-video history and paginate through all results, but it provides no authorization, consent, privacy, or acceptable-use constraints. While the content focuses on publicly accessible post data rather than direct credential theft or code execution, packaging bulk collection guidance as an agent skill lowers the barrier for large-scale profiling, scraping, and privacy-invasive monitoring.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The documentation explicitly advises providing a valid Cookie or authentication token to access protected user pages, but it gives no guidance on secure handling, storage, masking, or transmission of those credentials. In an API-downloader skill aimed at scraping Douyin data, this omission can lead users to paste live session tokens into shell commands, logs, shared notebooks, or third-party services, increasing the risk of account takeover or unauthorized access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to send a full authenticated Douyin cookie string, including session and CSRF-related tokens, to a remote third-party API endpoint. This exposes reusable authentication material that could enable account/session takeover, unauthorized scraping actions, or long-lived impersonation if the endpoint, logs, or intermediaries are compromised; the risk is heightened because the example uses plain HTTP rather than HTTPS.

External Transmission

Medium
Category
Data Exfiltration
Content
**请求示例**:
```bash
# 基础请求示例
curl -X POST "http://sd79uu743j76vf3vkn7pg.apigateway-cn-beijing.volceapi.com/api/hybrid/update_cookie" \
  -H "Content-Type: application/json" \
  -d '{
    "service": "douyin_web",
Confidence
98% confidence
Finding
curl -X POST "http://sd79uu743j76vf3vkn7pg.apigateway-cn-beijing.volceapi.com/api/hybrid/update_cookie" \ -H "Content-Type: application/json" \ -d '{ "service": "douyin_web", "cookie": "tt

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal