抖音内容提取总结

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: downloads a Douyin video, sends it to SiliconFlow for transcription, summarizes it, and cleans up the temporary video file.

Install only if you are comfortable with Douyin video/audio being downloaded locally and uploaded to SiliconFlow for transcription using your configured SF_API_KEY. Avoid using it on private, confidential, or sensitive videos unless that third-party processing is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill description says it will download Douyin videos and use a cloud model for transcription, but it does not present a clear user-facing privacy warning or consent step before sending third-party content off-platform. This creates a real data-handling risk because shared videos may contain personal data, copyrighted material, or confidential speech that users do not realize will be transmitted to an external API provider.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill uploads the downloaded MP4 file to a third-party transcription service, which is an external data exfiltration path for user-provided content. In an agent/skill context, this is dangerous because users may reasonably expect local processing, and the code provides no disclosure, consent flow, domain allowlist, or data handling safeguards before transmitting potentially sensitive audio/video off-platform.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal