ClawHub

Douyin DL

Security checks across malware telemetry and agentic risk

Overview

This skill appears to download Douyin videos as advertised, but crafted URLs, filenames, or page data could cause unintended local shell commands to run.

Review before installing. Use only trusted Douyin links and simple filenames/paths, and prefer a revised version that removes shell=True, passes subprocess arguments as lists, validates Douyin/media URLs, sanitizes user-supplied filenames, and avoids overwriting files by default.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run(cmd: str, timeout: int = 30) -> str:
    """Run a shell command and return stdout."""
    r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)
    return r.stdout.strip()
Confidence
98% confidence
Finding
r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_check(cmd: str, timeout: int = 30) -> str:
    """Run a shell command and raise on failure."""
    r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)
    if r.returncode != 0:
        raise RuntimeError(f"Command failed: {cmd}\n{r.stderr}")
    return r.stdout.strip()
Confidence
98% confidence
Finding
r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f"-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36' "
        f"'{video_src}'"
    )
    r = subprocess.run(dl_cmd, shell=True, capture_output=True, text=True, timeout=300)
    if r.returncode != 0:
        print(f"❌ Download failed: {r.stderr}", file=sys.stderr)
        sys.exit(1)
Confidence
99% confidence
Finding
r = subprocess.run(dl_cmd, shell=True, capture_output=True, text=True, timeout=300)

Missing User Warnings

Low
Confidence
86% confidence
Finding
The skill documentation explains how to download videos and accepts user-controlled output paths and filenames, but it does not clearly warn that it writes files to the local filesystem. This can lead to unsafe usage, unexpected overwrites, or writing into sensitive directories if a user supplies a risky path.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal