lgCapture

Security checks across malware telemetry and agentic risk

Overview

This appears to be a Douyin video downloader, but one bundled helper script can overwrite any file path the agent is told to use.

Review before installing. Use the documented `douyin.py` path, run it only on legitimate Douyin links, and avoid invoking `download.py` with a custom output path unless you intentionally choose a safe location. A contained working directory is prudent because the skill runs a browser and writes downloaded content to disk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tainted flow: 'download_url' from requests.get (line 74, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: # 6. 下载视频 print(f"⬇️ 下载中...") resp = requests.get(download_url, headers={ 'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 17_0 like Mac OS X) AppleWebKit/605.1.15', 'Referer': 'https://www.douyin.com/' }, timeout=60)
Confidence: 92% confidence
Finding: resp = requests.get(download_url, headers={ 'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 17_0 like Mac OS X) AppleWebKit/605.1.15', 'Referer': 'https://www.douyin.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal