抖音直播弹幕AI智能回复助手

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Douyin live-chat assistant purpose, but it runs a large obfuscated signing script, disables WebSocket certificate checks, and stores/forwards viewer chat data with limited privacy disclosure.

Install only if you are comfortable running an obfuscated Douyin signing script under Node. Use a virtual environment, provide the DeepSeek key via an environment variable, review or sandbox sign.js, restore certificate verification if possible, and treat saved chat logs/cache as viewer data that may require consent, protection, and periodic deletion.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (3160)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 使用 Node.js 子进程执行 get_sign_wrapper.js，通过 stdin/stdout 传参 wrapper_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'get_sign_wrapper.js') result = subprocess.run( ['node', wrapper_path], input=s, capture_output=True,
Confidence: 70% confidence
Finding: result = subprocess.run( ['node', wrapper_path], input=s, capture_output=True, text=True, encoding='utf-8', timeout=10

Tainted flow: 's' from requests.get (line 178, network input) → subprocess.run (code execution)

Critical

Category: Data Flow
Content: # 使用 Node.js 子进程执行 get_sign_wrapper.js，通过 stdin/stdout 传参 wrapper_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'get_sign_wrapper.js') result = subprocess.run( ['node', wrapper_path], input=s, capture_output=True,
Confidence: 90% confidence
Finding: result = subprocess.run( ['node', wrapper_path], input=s, capture_output=True, text=True, encoding='utf-8', timeout=10

Intent-Code Divergence

Low

Confidence: 98% confidence
Finding: At L5, the docstring states the function performs 'MD5 encryption'. However, the implementation at L6 uses hashlib.md5(...).hexdigest(), which is a one-way hash, not encryption. This is an intent/documentation mismatch that could mislead callers about the function's security properties and behavior.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The docstring for `parseChatMsg` says `调用DeepSeek AI生成回复`, which implies the skill will actually reply to chat messages. In code, it generates a reply object, writes it to `REPLY_FILE`, and prints it locally, but never sends any outbound message through the websocket or another API. This is an intent-level contradiction between the documented behavior and the actual implementation.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This markdown file states that the skill generates `ai_replies.jsonl` containing timestamps, usernames, danmu content, and replies, which is user data retention. Under the markdown-specific warning criteria, the description should clearly warn users about privacy and data-handling implications, but this section presents the files as routine output without any caution or disclosure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The introduction says the skill captures Douyin live-room danmu in real time and uses DeepSeek AI to analyze user intent and generate replies, which implies third-party processing of user-generated content. The README explains functionality and setup, but does not clearly warn that live comments may be transmitted to an external API or discuss privacy implications.

Natural-Language Policy Violations

Low

Confidence: 77% confidence
Finding: Natural-language policy review applies to all file types, including markdown. This README presents the skill exclusively in Chinese with no indication that language is selectable or intentionally limited to a specific locale, which can be read as forcing a language/locale without user opt-in.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The markdown states that the system collects live barrage messages and uses the DeepSeek API to deeply analyze each message, which implies viewer content is sent off-platform to a third-party service. While the file mentions API keys and costs, it does not clearly warn users about the privacy impact of transmitting audience messages to an external provider.

Natural-Language Policy Violations

Low

Confidence: 88% confidence
Finding: The natural-language instructions, headings, and examples are all presented in Chinese, and the document does not offer an alternative language or indicate that the skill is intentionally limited to Chinese-speaking users. Under the stated policy, forcing a specific language without user opt-in can be a locale-policy issue.

Natural-Language Policy Violations

Medium

Confidence: 92% confidence
Finding: This markdown file contains natural-language guidance that assumes Chinese as the required interaction language across all example prompts. Under the policy, forcing a specific language without user opt-in is a natural-language policy violation unless the locale constraint is clearly documented and justified, which is not present here.

Natural-Language Policy Violations

Low

Confidence: 89% confidence
Finding: The docstring is written only in Chinese, which imposes a specific language choice in the skill's natural-language interface without offering an alternative or documenting a justified locale constraint. The policy for this review flags language or locale constraints that are forced without user opt-in.

Natural-Language Policy Violations

Medium

Confidence: 86% confidence
Finding: This code file contains user-facing natural-language instructions and comments entirely in Chinese, including setup guidance and configuration descriptions. Under the stated policy, forcing a specific language without offering a language or locale choice is a natural-language policy concern.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This code sends the viewer username and chat message to the DeepSeek API, which is a network transmission of user data. Although the module docstring says it calls the DeepSeek API, there is no user-facing warning, confirmation, or privacy disclosure around sending chat content off-box, and the surrounding comments do not warn about that data handling.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The function stores generated replies keyed by user_message via cache_reply, which is a file/data write involving user-provided content. While comments mention caching for implementation purposes, there is no user-facing warning that chat content may be retained locally, which is relevant to privacy and data handling.

Natural-Language Policy Violations

Medium

Confidence: 86% confidence
Finding: The prompt instructions are written to produce replies in Chinese and use Chinese-specific audience forms, but there is no indication that this locale restriction is optional or user-selected. Under the policy, forcing a specific language without opt-in is a natural-language policy concern unless the locale constraint is clearly documented and justified.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code forwards `user_name` and `content` from live chat to `generate_reply`, which implies transmission of user-generated data to an external AI service. Although the action is commented in code, there is no confirmation prompt or user-facing disclosure to affected users before their chat content is processed externally.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This block persists timestamps, usernames, user messages, and AI replies to `REPLY_FILE`. While the code performs the write directly, it does not provide any disclosure to users that their messages are being stored locally, creating an undisclosed data-retention behavior.

Natural-Language Policy Violations

Low

Confidence: 88% confidence
Finding: The parameters force `browser_language` to `zh-CN` and `tz_name` to `Asia/Shanghai`, which is a natural-language locale choice embedded in the skill. There is no indication that the user opted into this locale or that the skill is explicitly restricted to a China-specific deployment context.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This wrapper reads `sign.js` from disk and executes it with `eval`, which is a code-execution operation in a code file. There is no confirmation prompt, logging, or explanatory disclosure near the operation to warn the user that arbitrary JavaScript from another file is being executed.

Natural-Language Policy Violations

Low

Confidence: 93% confidence
Finding: The user-facing text in the module docstring and printed status messages is entirely in Chinese, with no indication that another language is supported or that the user can choose a locale. This is a natural-language policy concern because it imposes a language choice by default rather than offering opt-in or documenting a justified locale restriction.

Natural-Language Policy Violations

Low

Confidence: 94% confidence
Finding: The module docstring and all user-facing console messages are written exclusively in Chinese, which can impose a language choice on users without offering an alternative or documenting that the skill is intentionally Chinese-only. This matches the policy category for language or locale constraints that are not presented as optional or justified.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This code writes a persistent cache file containing raw 'user_message' and 'ai_reply' content, which may include sensitive user data. Although the file operations are documented in code comments, there is no user-facing disclosure, confirmation, or visible warning that conversation content will be stored on disk.

Natural-Language Policy Violations

Low

Confidence: 86% confidence
Finding: The file's docstrings, comments, and user-visible print strings are written exclusively in Chinese, which can impose a language choice on users or maintainers without explicit opt-in. Under the language/locale policy, forcing a specific language without offering a choice can be a policy concern.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This JavaScript contains embedded URL strings for remote endpoints such as "https://mssdk.bytedance.com" and "/web/report", and the code includes request/send logic like fetch/XMLHttpRequest/sendBeacon. The file is heavily obfuscated and provides no comments, logging, prompt, or other user-visible disclosure explaining that browser/device data may be sent over the network.

Ssd 3

Medium

Confidence: 82% confidence
Finding: This code stores each user's message and the generated reply to a local reply log without any apparent minimization, consent, or sensitivity filtering. In an AI-agent context, retaining everything users say in plain form can semantically function as an instruction to collect and preserve user-provided data, which creates data-leak risk even though it does not use explicit exfiltration terminology.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal