抖音实时上升热点榜

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: fetch Douyin rising-trend data from a disclosed third-party API using a required service API key.

Install this only if you trust devtool.uk/coze-js-api with your AZT_API_KEY and Douyin trend query parameters. Prefer using a scoped or low-privilege key, avoid pasting secrets into chat or logs, and rotate the key if it is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger conditions are broad and overlap with common requests about Douyin trends, hot topics, and Python API usage. This can cause the skill to be invoked when the user did not intend to send data or credentials to an external service, increasing the chance of unnecessary secret use or external data transmission.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill asks for an API key and sends request parameters to an external third-party endpoint, but it does not clearly warn users that their credentials and query data will be transmitted outside the local system. This lack of disclosure undermines informed consent and can expose sensitive tokens or search terms to an external service unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal