ClawHub

抖音文案解析

Security checks across malware telemetry and agentic risk

Overview

This is a focused Douyin transcription helper that sends the provided link or share text and an API key to a named external service, so use it only if you trust that service.

Install this only if you are comfortable sending Douyin links or copied share text, plus a dedicated DOUYIN_TRANSCRIBE_API_KEY, to coze-js-api.devtool.uk. Avoid pasting unrelated private text in the share input, prefer a service-specific key, and rotate the key if it appears in logs or command history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation guidance is broad enough to trigger on generic requests like transcription, subtitle extraction, request building, or debugging, which can cause the skill to activate in contexts where the user did not clearly consent to using this external API workflow. Because the skill also performs shell execution and external transmission, overbroad matching raises the chance of accidental data disclosure or unnecessary execution on unrelated user content.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill directs the agent to send user-provided Douyin share text or URLs along with an API key to a third-party endpoint, but it does not require an explicit user-facing disclosure or consent step about external data sharing. Share text may contain personal or contextual information, and transmitting both content and credentials to an external service without clear warning can violate privacy expectations and increase the blast radius of misuse or compromise.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script transmits both user-provided Douyin share text and the secret API key to a third-party remote service, which is the core behavior of the skill, but it does so without explicit disclosure, consent, or any trust-boundary explanation. In a skill that advertises API key handling and shell execution, this increases the risk of unintended data exfiltration, especially if users paste share text containing extra personal data or assume processing is local.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal