Back to skill

Security audit

抖音文案解析

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: sends a Douyin link and the configured API key to a disclosed transcription API, with no hidden persistence or unrelated behavior found.

Install only if you trust the devtool.uk transcription service with your Douyin link/share text and DOUYIN_TRANSCRIBE_API_KEY. The skill is not hidden or self-persisting, but it does transmit your input and credential to an external API when used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes shell execution (`bash`, `curl`, `python3`) and instructs the agent to run `exec bash scripts/transcribe_douyin.sh` using user-influenced input, but no explicit permission model is declared beyond metadata requirements. This weakens security boundaries and increases the chance of unsafe command execution or privilege creep, especially if the wrapper script is later modified or handles quoting incorrectly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends both the user's Douyin share text and the secret API key to a third-party endpoint without any explicit disclosure, consent prompt, or data-handling notice at execution time. In this skill's context, that matters because users may paste full share text containing tracking data or other sensitive content, and the script normalizes exfiltration of both user input and credentials to an external service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.