ClawHub

DeepSop TK工作台

Security checks across malware telemetry and agentic risk

Overview

This skill openly automates DeepSOP video generation and TikTok publishing, with real account impact that users should confirm carefully before use.

Install only if you intend to let DeepSOP create and publish videos to your connected TikTok accounts. Before allowing submission, verify the target account, privacy level, prompt, posting cadence, and any DeepSOP credit purchase; keep the API key out of chats, logs, screenshots, and repositories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README explicitly promotes automated generation and scheduled posting to TikTok accounts, including repeated posting at set intervals, but does not provide a clear user-facing warning or confirmation requirement for account-impacting actions. In an agent skill context, this increases the chance of unintended posting, spammy behavior, or policy/account enforcement issues if a user request is misinterpreted or triggered automatically.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The README instructs users to place a live API key in an environment variable but does not warn against exposing credentials in logs, screenshots, shell history, shared terminals, or repositories. While environment variables are common, the lack of secure-handling guidance can lead to accidental credential disclosure and unauthorized use of the DeepSOP account.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill is designed to publish content to external TikTok accounts and schedule follow-up actions, but it lacks a prominent up-front warning that it can cause real-world posting to third-party accounts. In an agent setting, this can lead to unintended publication, reputational damage, or misuse of linked social accounts if the user does not clearly understand the consequence of invoking the skill.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The document instructs users to configure a sensitive API key in an environment variable but does not include clear handling guidance such as never echoing, logging, or embedding the key in prompts or files. This increases the risk of credential leakage through chat history, shell history, logs, or accidental disclosure by downstream tooling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal