ClawHub

抖音实时热点榜

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: fetches Douyin trend data through RedFox, uses a RedFox API key, and creates local reports, but users should understand those side effects before installing.

Install only if you are comfortable giving this skill a RedFox API key, allowing requests to redfox.hk, and letting it create local JSON/HTML/PDF report files. Prefer setting REDFOX_API_KEY directly as an environment variable instead of storing it in shell profile files, and use explicit Douyin-specific prompts when invoking subscription or report features.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documents capabilities to read environment variables, inspect shell configuration files for credentials, write files, and make network requests, but it does not declare these permissions explicitly. This undermines informed consent and prevents users or platforms from accurately assessing the skill's access scope before execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The stated purpose focuses on querying Douyin trending data, but the documented behavior extends to local file generation/export, credential discovery from environment and shell startup files, and possibly local JSON reads. This description-behavior gap is security-relevant because users may invoke a seemingly simple lookup skill without realizing it accesses local secrets and persists artifacts on disk.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The workflow expands the skill from simple hot-trend retrieval into mandatory HTML/PDF generation and file delivery, which is outside the stated skill scope. This scope creep is dangerous because it grants unnecessary file creation and export behaviors that can be abused for unintended content generation, local artifact persistence, or social-engineering style file delivery.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The instructions require use of preview_url and deliver_attachments on locally generated files, introducing local file exposure and attachment delivery capabilities unrelated to querying hot topics. This is dangerous because once a skill can preview and deliver local artifacts, it can be repurposed to exfiltrate or distribute unintended files under the guise of normal workflow output.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The document instructs the agent to run Python via the system interpreter or a specific user-directory interpreter path, which grants general local command execution capability. This is dangerous because executing local interpreters and scripts from skill instructions creates a direct path to arbitrary code execution, especially when tied to user-writable directories and shell command composition.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script accesses shell startup files to recover an API key, which expands its data-access scope beyond what users would reasonably expect from a data-fetching/HTML-generation tool. Even though it only targets a named variable, reading personal shell config files without explicit consent or disclosure is a sensitive behavior and can expose credentials from files that may contain other secrets or private configuration.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script reads ~/.bashrc, ~/.bash_profile, and ~/.zshrc to recover an API key, which expands its access beyond the stated need of fetching Douyin hot-trend data. Shell startup files often contain unrelated secrets and personal configuration, so this creates unnecessary local file access and credential exposure risk even if the code only regex-matches one variable name. In this skill context, local shell-file inspection is not required for core functionality, which makes the behavior more suspicious and less justifiable.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README says users can invoke the skill by 'just describ[ing] your need in plain language,' which makes activation boundaries ambiguous. In agent environments, overly broad natural-language routing can cause accidental invocation on ordinary conversation, potentially triggering external API calls, subscriptions, or report generation without clear user intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Example phrases such as 'Douyin trending,' 'Today's hot list,' 'Load more,' and 'Cancel subscription' are generic and likely to overlap with normal user speech. In a multi-skill or assistant setting, this increases the risk of unintended skill activation and unintended actions, especially for state-changing operations like subscribe/cancel workflows.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README states users can interact by 'directly using natural language to describe needs, without remembering commands,' which creates overly broad invocation boundaries. In agent environments, vague activation guidance can cause the skill to be selected for ordinary conversation or ambiguous requests, increasing the chance of unintended execution and data access through the configured API-backed workflow.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The example trigger phrases include short, generic utterances like '抖音热榜', '昨日热榜', '继续加载', and '取消订阅', which can easily overlap with normal conversation. In a multi-skill or conversational agent setting, this ambiguity may trigger the skill unintentionally, causing unsolicited API calls, report generation, or subscription changes.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Broad trigger phrases such as generic references to hot rankings can cause unintended activation during normal conversation. Accidental invocation matters here because the skill performs external API calls and may access local configuration for API keys, increasing the chance of unintentional data disclosure or actions.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The natural-language command list includes generic commands like '继续加载' and '取消订阅' without strong scoping to this specific skill. In a multi-skill agent environment, such ambiguous commands can collide with unrelated contexts and trigger unintended subscription changes, network requests, or local report generation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill does not clearly warn users that their queries and related request metadata will be sent to the third-party Redfox API service. Even if the data sent is operationally necessary, the lack of upfront disclosure creates a privacy and transparency issue, especially when user-entered dates, keywords, and usage patterns may be transmitted externally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script silently reads sensitive credential material from shell configuration files without notifying the user at the point of access. This violates least surprise and can normalize secret harvesting behavior in a skill whose stated purpose is only to retrieve and render Douyin hot-list data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script uses a discovered API key to make an authenticated network request without a clear user-facing disclosure in the execution flow. In this skill context, that is risky because the tool appears to be a simple content fetcher/generator, yet it can automatically transmit a locally discovered secret to a remote service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal