Back to skill

Security audit

抖音视频提取文案

Security checks across malware telemetry and agentic risk

Overview

This transcription skill is mostly coherent, but it needs review because it explicitly automates Douyin login-wall bypass and overstates privacy while making network requests and downloads.

Install only if you are comfortable with a skill that installs a local Python environment, Chromium, and Whisper dependencies, contacts Douyin for shared links, downloads videos, and saves/prints full transcripts. Use it only on content you are authorized to access, and avoid confidential media unless you are comfortable with transcript files and tool logs containing the full spoken content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not python:
        return -1, "", "venv Python not found"
    try:
        r = subprocess.run(
            [python, "-c", script],
            capture_output=True, text=True, timeout=timeout
        )
Confidence
95% confidence
Finding
r = subprocess.run( [python, "-c", script], capture_output=True, text=True, timeout=timeout )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs the agent to read and write local files, invoke shell commands, inspect environment-specific configuration, and make outbound network requests, yet no permissions are declared. This creates a transparency and least-privilege failure: users and the hosting platform cannot accurately assess or constrain what the skill is allowed to do.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The description says the workflow is fully local, uses no cloud API, and has 'zero privacy risk,' but the documented behavior includes fetching remote Douyin content, calling Douyin web APIs, downloading videos, and installing external dependencies and Chromium. This mismatch can mislead users into sharing sensitive links or local files under false assumptions about data flow and execution behavior.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The downloader fetches whatever URL it is given without validating scheme, host, or media type, so a manipulated capture/API response could cause the agent to retrieve arbitrary remote content. In an agent environment, this expands the skill from 'Douyin transcription' into a generic network fetch primitive, which can enable SSRF-like access to internal services, downloading unexpected large files, or pulling non-media payloads for later processing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Claiming 'privacy zero risk' is misleading because Douyin-link mode necessarily contacts external servers, fetches metadata, and downloads remote media. Overstated privacy claims can cause users to expose personal, confidential, or regulated content without informed consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
In `--fix` mode, the verifier automatically launches `setup_env.py --force`, which may install packages, download binaries, or modify the environment, with only minimal disclosure immediately before execution. In a skill context that already advertises browser automation and local model setup, silently chaining into a forceful setup path increases the risk of unexpected system changes or consent bypass.

Ssd 2

Medium
Confidence
93% confidence
Finding
The skill explicitly advertises using Playwright to bypass Douyin's login wall and capture video content. Encoding access-control bypass behavior into a skill increases legal, compliance, and platform-abuse risk, and it could be repurposed to retrieve content that a normal user flow should not access automatically.

Ssd 2

Medium
Confidence
94% confidence
Finding
The workflow operationalizes repeated attempts to capture video URLs despite login gating, including retries and a fallback retrieval path. This is dangerous because it normalizes automated circumvention of access restrictions and makes unauthorized content retrieval more robust.

Ssd 2

Medium
Confidence
94% confidence
Finding
The technical notes present 'login-wall bypass' and alternate retrieval methods as supported design features rather than edge cases to avoid. That framing encourages maintainers and agents to preserve circumvention functionality, increasing compliance and abuse risk over time.

Ssd 3

Medium
Confidence
86% confidence
Finding
The script prints the full raw transcript to stdout explicitly for agent consumption, which can expose sensitive spoken content, personal data, or confidential material in logs, tool traces, or downstream agent context. Because this skill handles local audio/video and user-shared links, the transcript may contain private content well beyond what should be persisted or surfaced automatically.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.