ClawHub

Douyin Auto Publish 抖音自动上传发布

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Douyin video uploader, but users should pay attention because it operates a logged-in creator account and saves a small visibility preference.

Install only if you are comfortable letting an agent operate a logged-in Douyin Creator session. Use the dedicated douyin-profile or sandbox mode, avoid profile="user", review the file name, title, and visibility before confirming, and do not approve unrelated account, payment, export, or settings actions through this skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill reads from and writes to a persistent local config file to store `default_visibility`, which exceeds the narrowly scoped task of a one-time video upload/publish flow. Even though the stored value is low sensitivity, unnecessary persistence increases data retention and creates a precedent for local state modification outside the immediate user request.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The instruction that unspecified additional user-needed operations should be handled with the same UI-matching method broadens the skill from a constrained uploader into a general-purpose browser operator on the Douyin creator site. That increases the chance of unintended or unauthorized actions, especially because the browser session may be logged in and the guidance does not enumerate or constrain those extra operations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal