ClawHub

Douyin Video Fetch

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Douyin video downloader whose network access and local file writes match its stated purpose, with some ordinary CLI safety caveats.

Install only if you are comfortable with a Python downloader that launches a headless browser, contacts Douyin/video-hosting endpoints, reads any batch file path you provide, and writes MP4 files to the selected output directory. Use it only for videos you are authorized to download, choose a dedicated output folder, and avoid pointing --file at sensitive local files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and invokes network access and local file writes/reads, but the metadata does not declare permissions or otherwise make those capabilities explicit. This creates a transparency and consent problem: an agent or reviewer may underestimate the skill's ability to fetch remote content and persist files locally, increasing the chance of unintended data access or filesystem modification.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The markdown instructs users to download Douyin videos to local storage without warning about local writes, copyright/terms-of-service issues, or privacy implications of storing third-party media. In this context, the skill is explicitly a downloader and material-ingestion step, so missing warnings and guardrails make misuse more likely even if the behavior is not inherently malicious.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal