Back to skill

Security audit

发布抖音短视频_无限

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed Douyin upload assistant, but it is advertised as publishing videos while its workflow saves a draft instead.

Install only if you want an assistant that uploads a Douyin video and saves it as a draft, not one that completes public publishing. Provide only the intended video path, use the intended Douyin account, and manually review the draft, title, tags, cover, permissions, collection, and AI declaration before publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill’s declared purpose is to publish a Douyin/TikTok short video, but the actual workflow ends by clicking “暂存离开” to save a draft instead of publishing. This mismatch is a real integrity issue because downstream agents or users may rely on the documented capability and assume content has been posted when it has not, causing silent workflow failure or misleading automation results.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The element reference table says file upload requires user file selection, but the instructions actually automate OS-level file dialog interaction using pyautogui and clipboard injection. This is dangerous because it hides a higher-privilege automation behavior that can select local files without an explicit, visible user selection step, increasing the risk of unintended local file access or exfiltration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.