ClawHub
Back to skill

Security audit

桃噗噗回复助手

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Douyin auto-reply tool, but it needs Review because it can post from logged-in accounts, retain session/activity data, and includes stealth and human-mimicry behavior.

Install only if you are comfortable giving this skill automated posting authority over a logged-in Douyin account. Review and disable stealth browser flags, use manual approval or draft-only mode if possible, restrict where session files and logs are stored, and ensure the automation complies with Douyin rules and your account-risk tolerance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The configuration includes anti-detection flags such as disabling Blink automation indicators and infobars, plus sandbox-disabling flags, which go beyond normal browser automation needs for comment reply workflows. In the context of a Douyin auto-reply skill that automates a third-party platform, these settings strongly suggest an attempt to evade platform bot detection and reduce browser security isolation, increasing both abuse potential and host compromise risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The module explicitly saves and reloads full Playwright storage state to disk under a local user-data directory, which can include authentication cookies and other session material. In a browser automation skill that manages social-media accounts, persisting these artifacts increases the risk of account takeover or unauthorized reuse if the host is compromised, files are copied, or multiple local users/processes can access the directory.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quick-start flow tells the user to connect an account and start monitoring, but it does not clearly warn that the skill will autonomously post replies on the user's Douyin account and retain processing state. This undermines informed consent and can cause unintended account actions or reputational harm if the user does not realize automation is active.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document states that login state and account metadata are persisted, but it does not flag these artifacts as sensitive or describe their protection requirements. Stored session/account data can enable account takeover, privacy leakage, or unauthorized automation if copied or exposed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The logger persists operational data such as accountId, videoId, commentId, matchedWords, error details, and truncated reply content to disk and sometimes console without minimization, masking, retention controls, or access safeguards. In the context of a Douyin auto-reply skill that processes user interactions at scale, these logs can expose user/activity data and internal failure details to local users, support staff, or other components that can read the filesystem or collected console output.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script programmatically clicks the Douyin '发送' button and posts a public reply with no built-in confirmation, approval gate, or last-moment user review. In the context of an auto-reply skill for a public social platform, this increases the risk of unintended, policy-violating, or reputationally harmful messages being sent at scale if upstream content generation, account targeting, or page state is wrong.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script unconditionally clicks the active '发送' button after injecting text, causing an irreversible external action without any explicit confirmation, preview, or last-mile user consent. In the context of a browser automation skill for social-platform replies, this increases the risk of accidental posting, misdirected responses, or automated abuse if upstream logic selects the wrong comment or generates unsafe content.

Ssd 4

Medium
Confidence
97% confidence
Finding
The skill explicitly promotes randomized delays, burst protection, and similar tactics to mimic human behavior and reduce platform risk controls. Guidance aimed at evading detection is dangerous because it facilitates deceptive automation and can be adapted for spam, sockpuppeting, or abuse at scale.

Ssd 4

Medium
Confidence
98% confidence
Finding
The processing flow combines automated content generation with explicit human-mimicking steps such as random delay before posting, creating a deception pattern rather than simple automation. In the context of mass comment monitoring and multi-account support, this materially increases abuse potential and reduces detectability of inauthentic behavior.

Ssd 4

Medium
Confidence
98% confidence
Finding
The operational notes directly advise delaying replies to simulate a real person and avoid risk control triggers. That is explicit evasion guidance, not merely a performance or safety recommendation, and it makes the skill more dangerous by encouraging deceptive behavior on a live platform.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.