ClawHub
Back to skill

Security audit

Douyin Dedup

Security checks across malware telemetry and agentic risk

Overview

This skill openly downloads Douyin videos and removes watermarks while altering them to avoid duplicate-content matching, which creates clear platform-abuse and attribution-removal risk.

Install only if you intend to process videos you own or are authorized to modify and repost. Be aware that the skill downloads remote Douyin content, removes watermarks, alters the video to reduce duplicate detection, strips audio, and saves MP4 files locally under ~/video-dedup/output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill description documents automatic download, watermark removal, modification, audio stripping, and file output, but it does not warn users that it will fetch remote content and persist transformed media to disk. In an auto-triggered skill, that omission can lead to surprising data transfer, storage consumption, and processing of untrusted remote input without informed user consent.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The file is explicitly designed to download Douyin videos, remove watermarks, and perform 'deduplication' through remixing to evade platform detection or duplicate-content controls. In skill context, this is more dangerous because the stated purpose is content-circumvention and attribution removal, indicating intentional abuse rather than incidental capability.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The comments and implementation specifically describe obtaining a no-watermark Douyin video URL without login, which is direct circumvention guidance. In this skill's context, that increases risk because it operationalizes unauthorized access to platform-protected media variants and facilitates downstream misuse such as reposting or impersonation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal