Back to skill

Security audit

抖音视频发布

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says by posting Douyin videos, but it also automates a real public publish action and adds a fixed location without clear user confirmation.

Install only if you are comfortable letting the agent operate a logged-in Douyin creator account. Before using it, require the agent to show the final video, title, hashtags, cover, account, and location, and only allow it to click publish after you explicitly approve. Override or remove the fixed "苏州中心" location unless you specifically want that location attached.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill automates posting to an external platform using the user's logged-in Douyin creator account, but it does not clearly foreground that this is an account-affecting action that will publish content publicly. In an automation context, insufficient disclosure can lead to unintended posting, reputational harm, or misuse of an authenticated session without informed user confirmation.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill hard-codes the location "苏州中心" during publication without asking the user, which can cause unauthorized metadata insertion into the post. This is dangerous because location metadata may misrepresent the content, violate user intent, or expose privacy-sensitive preferences in a real social-media publishing flow.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The checklist reinforces a mandatory fixed location choice of "苏州中心", increasing the chance that every automated post includes unintended location metadata. In the context of a publishing skill operating on a logged-in account, this makes the unsafe behavior systematic rather than incidental.

VirusTotal

45/45 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.