Tp2
High
- Category
- MCP Tool Poisoning
- Confidence
- 85% confidence
- Finding
- Mixing characters from multiple Unicode scripts in a single identifier is a common technique to create visually ambiguous tool names.
Douyin Messager | 抖音私信助手
Security checks across malware telemetry and agentic risk
Overview
This is an instruction-only Douyin browser assistant whose sensitive account access is disclosed and tied to its stated messaging/comment purpose.
Install only if you are comfortable letting the agent operate through a dedicated logged-in Douyin browser profile and view selected DMs/comments. Before approving any write action, verify the visible account, target recipient or comment, and exact content; clear the profile's Douyin login when finished if you no longer want this access available.
SkillSpector
By NVIDIA
Vulnerability Patterns
- MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)
VirusTotal
62/62 vendors flagged this skill as clean.