ClawHub
Back to skill

Security audit

抖音视频解析下载(KK定制版)

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Douyin video download and transcription helper, with disclosed local media processing and external parsing methods but some privacy details users should understand.

Before installing, verify that the referenced local douyin-analyzer MCP server is trusted because its code is not included in this package. Only process Douyin links you are comfortable sending through the disclosed parsing services, and delete temporary video/audio/transcript files from /tmp when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly instructs downloading videos, extracting audio, and transcribing content while only mentioning that files are temporarily stored in /tmp, without giving a clear privacy warning or describing retention, access scope, or handling of potentially sensitive media. In practice, this can cause users to process personal or copyrighted content without understanding that media and derived transcripts may persist on disk and be exposed to other local processes or users.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documents fallback use of a third-party parsing API for Douyin links without warning users that shared links and related metadata may be transmitted to an external service outside the local environment. This creates a privacy and trust risk because user-supplied URLs, viewing targets, and possibly associated request metadata can be disclosed to an unvetted third party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal