ClawHub

Douyin Upload MCP Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is broadly coherent as Douyin marketing automation, but it grants and automates high-impact account, browser, host, and data-sharing powers that are not tightly scoped enough for automatic trust.

Install only in a dedicated, non-sensitive OpenClaw/browser environment. Do not let it reuse your normal Chrome or Edge profile, review and disable automatic systemd/scheduler jobs you do not want, avoid using platform accounts you cannot risk, and configure LLM/XiaoIce/Feishu credentials with least privilege and known endpoints. Treat destructive scripts, auto-reply, auto-publish, and anti-detection behavior as requiring explicit operator approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The README explicitly advertises stealth and anti-detection measures to evade Douyin's bot-detection systems, which goes beyond ordinary browser automation documentation. In the context of a skill designed for automated publishing, these instructions materially enable covert automation, account abuse, and circumvention of platform safeguards, increasing the likelihood of deceptive or policy-violating use.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The prompt explicitly instructs OpenClaw to install or switch the system Node.js runtime to 22+ and install/configure Chrome or Edge if missing. That expands the skill from Douyin-specific automation into unrestricted system administration and package management, increasing the attack surface and granting the skill authority to modify core host software beyond what is necessary for review or limited execution.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The bootstrap logic goes beyond configuring the skill itself and can install host-level software with apt-get and by downloading a Chrome .deb from the internet. Even if intended for setup convenience, this expands the skill's authority from Douyin automation into general system administration, increasing the blast radius if the script is run on a sensitive workstation or server.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script creates and restarts user systemd services and can also restart an external openclaw-gateway service, which affects persistent host behavior outside the immediate task of posting to Douyin. This kind of service management creates a persistence mechanism and can disrupt or modify other local automation components if misused or if environment variables are tampered with.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script uses X11/XTest to synthesize mouse and keyboard input at fixed screen coordinates, which enables interaction with any desktop window the process can reach, not just the intended browser prompts. In this skill context, that bypasses normal browser and automation safety boundaries and could dismiss security prompts, authorize unintended actions, or interfere with other applications if the desktop layout changes or an attacker influences what window is focused.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This script adds destructive capability—deleting Douyin content by matching a title—that is materially broader than the skill’s declared publishing/login-guard workflow. It performs DOM-based selection and confirmation clicks with only a title string as the safeguard, so a user or downstream agent could remove the wrong content or abuse the skill for unauthorized moderation/destructive actions.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script loads generic LLM provider configuration and API credentials from broad user/home config paths and environment variables, then permits outbound requests to whatever base URL is configured. That creates an unnecessary data egress and trust-boundary expansion for a tool whose core job is to derive a content plan from Douyin/Feishu data, and it increases the chance of silently sending business data to an unintended third-party endpoint.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code serializes the full generated context, including account performance data and persona/profile details, into a prompt and sends it to an externally configured LLM endpoint. This is dangerous because it can disclose potentially sensitive business analytics, customer targeting information, and operational context to arbitrary third parties without clear minimization, consent, or endpoint restrictions.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code reads an external .env file from a different local tool directory and uses its contents to influence model selection and runtime behavior. This crosses trust boundaries: a compromised or user-writable external directory can inject configuration or secrets into this skill, causing unauthorized account use, model hijacking, or unintended automation under another tool's credentials.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The controller spawns multiple local scripts and forwards user-derived text into automation routes, effectively making this file an orchestration hub with broad local side effects. Although spawnSync avoids shell injection, the design still creates a dangerous capability surface where untrusted chat commands can trigger publishing, training, syncing, and messaging flows across other scripts.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code automatically clones the user's default Chrome/Edge profile into a separate skill-controlled directory, which can copy cookies, saved login state, local storage, and other browsing artifacts unrelated to Douyin automation. In this skill's context, that is especially dangerous because the tool performs login handling, publishing, messaging, and remote automation, so inheriting an existing browser profile can silently grant broad account access far beyond the minimum needed scope.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code spawns a local Python script from the host environment to close native browser prompts, which extends the skill's power beyond normal browser automation and creates an unnecessary local code-execution dependency. In an agent skill context, this can be abused to manipulate host UI state or become a pivot for executing modified local scripts outside the browser sandbox.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README documents a bundled XiaoIce video task service and MCP plugin that are outside the stated Douyin-only purpose of the skill. Hidden or undocumented adjacent capabilities increase attack surface and create tool-confusion risk: an agent or operator may invoke the wrong vendor component, route sensitive tokens to an unintended service, or expose callback/admin endpoints that were not expected in this skill’s trust boundary.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Documentation advertising generic self-hosted service operation, callback exposure, and OpenClaw plugin support unrelated to the declared Douyin workflow suggests capability creep and incomplete scoping. In this skill context, that mismatch is more dangerous because the package is supposed to be used automatically for login, publishing, messaging, and notifications; extra hosted/plugin functionality can mislead deployment and cause operators to expose additional networked components with privileged credentials.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill’s stated purpose is to create and check XiaoIce video tasks, but the document expands into host-specific administration, credential rotation, and runtime reconfiguration guidance. In an agent setting, this broadens the model’s operational scope from task execution into privileged service administration, increasing the chance that a user can induce the agent to reveal sensitive infrastructure details or perform unauthorized configuration changes.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill discloses concrete local filesystem paths, a localhost admin API endpoint, and where an admin token is sourced. Even without the token value itself, this materially helps an attacker or prompt-injection attempt target sensitive files and privileged interfaces on the host, which is unnecessary for normal video-task usage.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal