Security audit

Douyin Transcribe

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it advertises, but it builds shell commands from user-supplied links and paths, which creates a real local command-execution risk.

Review before installing. Use only with trusted Douyin links and safe output paths, because a crafted link or path could be interpreted by the local shell. Treat the workflow as networked: the Douyin URL is submitted to hellotik.app, media is downloaded from resolved CDN URLs, and generated files remain on disk unless cleanup is requested. Do not enable or extend Feishu upload unless you understand exactly which tenant and destination IDs will receive the content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (18)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def e(cmd, timeout=30): r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout) return r.returncode, r.stdout, r.stderr
Confidence: 94% confidence
Finding: r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def e(cmd, timeout=120): """执行shell命令，返回 (returncode, stdout, stderr)""" r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout) return r.returncode, r.stdout, r.stderr
Confidence: 98% confidence
Finding: r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documents capabilities to access the network, invoke shell commands, and write files, yet it declares no permissions. This weakens user and platform visibility into what the skill can actually do, increasing the chance of unexpected data access, downloads, persistence, or command execution without informed consent.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The stated purpose is simple Douyin transcription, but the documented workflow also automates a third-party site, downloads additional content, and can sync outputs to Feishu. This mismatch is dangerous because users may consent to transcription while not realizing their data and links are being sent to external services or stored in cloud destinations.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The documentation expands beyond local transcription into Feishu cloud upload and knowledge-base synchronization without making that data flow prominent in the core skill description. This creates a privacy and data-handling risk because transcripts, media-derived content, and metadata may be transmitted to external cloud systems unexpectedly.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The skill presents the ASR pipeline as effectively offline while the documented setup and workflow require network access for model retrieval and for resolving video links through hellotik.app. Users relying on offline/local-only processing could unintentionally expose sensitive URLs or content to third parties.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The claim 'completely offline' directly contradicts the described need for external web access and model downloads. Misrepresenting data flow is security-relevant because users may process private content under false assumptions about locality and confidentiality.

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: This Douyin transcription skill includes Feishu cloud-drive and knowledge-base upload capability that is not necessary for the stated purpose of transcription. Unnecessary external upload functionality increases the data-exfiltration surface, especially because the skill handles downloaded media and transcripts that may contain sensitive content.

Intent-Code Divergence

Medium

Confidence: 78% confidence
Finding: The module docstring claims it uploads media and creates knowledge-base documents, but the implementation only prints placeholders and skips the API call. This mismatch is security-relevant because it obscures the real behavior and intended data flows, making review, consent, and operational controls harder.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script launches a browser and automates interactions with hellotik.app, an unrelated third-party downloader, to process user-provided Douyin links. This expands the trust boundary substantially: user data is exposed to a third party, and the agent depends on dynamic remote content and browser automation that can be changed server-side without review, creating privacy, integrity, and supply-chain-like risk.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill is presented as a Douyin download/transcription pipeline, but it also contains functionality to upload the downloaded media, transcript, and source context to Feishu/knowledge-base services. This is a data-flow expansion beyond the declared purpose and can lead to unexpected exfiltration of user content to third-party systems.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: Feishu cloud upload capability is not necessary to accomplish local transcription and therefore increases the attack surface and privacy risk without being justified by the stated skill purpose. Users may invoke the skill expecting local processing, while the code supports sending outputs to remote storage when parameters are supplied.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill does not clearly warn users that transcripts and related content may be uploaded to Feishu cloud services. For transcription workflows, outputs often contain sensitive spoken content, so silent cloud transmission can create confidentiality, compliance, and retention risks.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: The skill notes that files are saved locally but does not strongly warn that video, audio, and transcript artifacts may persist on disk unless cleanup is requested. Persistent local storage can expose sensitive media and transcripts to other local users, backups, or later unintended reuse.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The subprocess-embedded Python reads Feishu-related environment variables without any visible user disclosure or consent flow. Accessing agent runtime secrets in a hidden subprocess is dangerous because it normalizes secret use in opaque execution paths and can easily be extended to transmit those credentials externally.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script types a user-supplied Douyin URL into a form on hellotik.app without any explicit consent or disclosure in the code path. Even if the URL seems non-sensitive, it may reveal user interests, private/shared content references, tracking parameters, or internal workflow data, and sending it to an external service without notice creates a clear privacy and data-handling issue.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code can upload the transcript and source URL to Feishu without any explicit runtime warning or consent dialog describing that user data will leave the local environment. Because transcripts may contain sensitive speech content and URLs may reveal user interests or identities, silent transmission creates a meaningful privacy and compliance risk.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The skill file includes live Feishu folder and knowledge-base identifiers, which can facilitate unintended uploads to a preconfigured destination and may expose internal resource identifiers. Hardcoded destination IDs increase the risk of data being sent to the wrong tenant/location without the operator fully understanding where content is going.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal