mar-douyin-hot-trend

Security checks across malware telemetry and agentic risk

Overview

The skill mainly fetches Douyin trend data, but it also includes under-disclosed Telegram delivery metadata and an unsafe command wrapper that should be reviewed before installation.

Install only if you understand and want the Telegram-style automation artifacts. Use a limited SkillBoss API key, do not connect the generated JSON to any messaging tool unless the chat_id is yours and intentional, and avoid passing untrusted arguments to the helper scripts until execSync is replaced with safer argument handling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: If the skill actually formats results into Telegram Markdown, generates Telegram-targeted JSON, includes fixed `chat_id`/channel values, and writes multiple local output/debug files while only describing itself as a Douyin trend fetcher, that is a material hidden-behavior mismatch. Undisclosed outbound publication targets and local file writes can cause silent data exfiltration, unauthorized posting, operational misuse, or leakage of fetched content and metadata beyond the user’s expected workflow.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill’s stated purpose is to fetch and return Douyin hot-trend data, but this file also formats a Telegram-ready message, embeds delivery metadata, and emits output intended for downstream messaging. This expands the skill from passive data retrieval into content distribution, which increases the chance of unauthorized data exfiltration or misuse in larger agent pipelines where console/file outputs are automatically consumed.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The code hard-codes a Telegram chat_id and channel metadata even though the skill description only covers fetching Douyin hot-trend data. In an agent environment, hard-coded outbound routing can silently direct generated content to an external destination, creating a real risk of unauthorized disclosure and behavior outside the declared scope.

Context-Inappropriate Capability

Low

Confidence: 88% confidence
Finding: The file writes message and JSON artifacts to local disk even though the advertised purpose is only to retrieve trend data. While likely intended for debugging or integration, unnecessary persistence increases data exposure, leaves residual artifacts, and can become a leakage path if other processes monitor or upload those files.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The JSON output includes operational delivery metadata such as a Telegram chat identifier, channel, and a preformatted push message, which goes beyond the skill's stated purpose of returning Douyin hot-list data. This creates unnecessary data exposure and couples content generation with downstream delivery details, increasing privacy and misuse risk if outputs are logged, shared, or reused in other contexts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal