ClawHub
Back to skill

Security audit

Douyin Automation

Security checks across malware telemetry and agentic risk

Overview

This Douyin automation skill matches its stated purpose, but it asks for broad account, browser, credential, and remote-code authority without enough scoping or consent safeguards.

Install only after reviewing the scripts and the cloned repositories. Use a separate Douyin account and isolated Chrome profile, avoid running cron until you have tested dry-run behavior, remove or avoid exposing local GitHub tokens, and assume the tool can operate your logged-in browser session, publish content, reply publicly, install packages, and leave local services running.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print()

    start = time.time()
    result = subprocess.run(cmd, cwd=str(Path(orchestrator).parent))
    duration = round(time.time() - start)

    print()
Confidence
92% confidence
Finding
result = subprocess.run(cmd, cwd=str(Path(orchestrator).parent))

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run(cmd, cwd=None, timeout=60, check=False):
    """Run shell command, return (success, stdout+stderr)."""
    try:
        r = subprocess.run(
            cmd, shell=True, cwd=cwd,
            capture_output=True, text=True, timeout=timeout
        )
Confidence
91% confidence
Finding
r = subprocess.run( cmd, shell=True, cwd=cwd, capture_output=True, text=True, timeout=timeout )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = f'"{python}" "{main_py}"'

    try:
        subprocess.Popen(
            cmd,
            cwd=str(Path(backend_dir).parent),
            stdout=subprocess.DEVNULL,
Confidence
90% confidence
Finding
subprocess.Popen( cmd, cwd=str(Path(backend_dir).parent), stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, start_new_session=Tr

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill requests users to run installer and orchestration scripts that clone remote code, install dependencies, start services, and interact with local resources, yet the manifest shown in the markdown does not declare permissions corresponding to those capabilities. This creates a transparency and consent failure: users cannot accurately assess that the skill will use shell, network, filesystem, and environment access before execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior is framed as Douyin automation, but the analyzed behavior extends to searching for local GitHub credentials, inspecting environment tokens, reading credential files, opening Chrome with remote debugging, probing local ports, and reading local SQLite data. Access to unrelated credentials and local application state goes beyond the user-facing description and can expose secrets or broaden compromise if the cloned backend or scripts are malicious or compromised.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The setup script actively searches for GitHub tokens in gh CLI output, environment variables, and ~/.git-credentials, even though cloning public repositories does not require harvesting user secrets. Accessing and repurposing developer credentials in a setup flow materially increases the risk of credential exposure, misuse, and unauthorized access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill prominently advertises automated publishing and comment replies but does not provide a clear warning that it will perform actions affecting the user's Douyin account and public-facing content. In an automation context, missing consent and risk disclosure can lead to unintended posts, spam-like behavior, account penalties, or reputational damage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup instructions state that the skill will automatically clone backend code, copy tools, install dependencies, write configuration files, and run health checks, but they do not clearly warn about the resulting system modifications. This is risky because executing installation and startup steps from a markdown-guided workflow can materially alter the host and expand the attack surface, especially when remote code is fetched and run.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation describes an automated workflow that exports comments and posts replies on a live Douyin account immediately after publishing, but it does not present any explicit warning, confirmation requirement, or safeguards around modifying external account data. In the context of a social-media automation skill, this increases the risk of unintended mass actions, account misuse, spammy behavior, or replies being sent from a logged-in user session without adequate operator awareness.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly describes configuring a network access token and states that the orchestrator may fall back to hardcoded defaults when configuration is missing. In an automation skill that clones backend code and performs unattended publishing and AI API calls, this pattern increases the risk of embedded secrets, accidental credential disclosure, and unsafe deployments using undocumented default endpoints or tokens.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Embedding a recovered GitHub token directly into a clone URL is unsafe because the token can leak through process listings, shell history, error messages, logs, or downstream tooling. The user is not warned that local credentials are being pulled into command strings, which makes the behavior especially risky in an installer context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script starts Chrome with a persistent profile and --remote-debugging-port enabled, which exposes powerful browser automation capabilities to any local process that can reach 127.0.0.1:9222. In the context of a Douyin automation skill that likely handles authenticated creator sessions, this increases the risk of session hijacking, cookie access, and unauthorized browser control if the host is shared or already compromised.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal