Back to skill

Security audit

Douyin-skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a Douyin uploader that clearly performs login, local session reuse, and video publishing, with sensitive but purpose-aligned behavior disclosed.

Install only if you want this tool to act through your logged-in Douyin Creator account. Protect the skill directory because it stores reusable login cookies, use --no-publish when testing or preparing drafts, and run node scripts/manage.js clear when you want to remove saved session data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists Douyin authentication cookies to a local JSON file and reuses them for future authenticated sessions, but it does not provide an explicit user warning or consent flow about long-lived session storage. Although it sets restrictive file permissions afterward, session cookies are still sensitive bearer credentials, and local persistence increases the risk of account takeover if the host, workspace, backups, or adjacent tooling are compromised.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The uploader automatically clicks the publish button when autoPublish is not explicitly set to false, without a final interactive confirmation immediately before posting. In a social-media publishing tool, this creates a meaningful risk of unintended public posting, including accidental release of sensitive, non-final, or policy-violating content under the user's account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.