douyindownloadwhisper

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it under-discloses that transcript text can be sent to MiniMax for segmentation.

Review before installing. Use only if you are comfortable with the tool contacting Douyin for retrieval and potentially sending transcript text to MiniMax when segmentation is enabled and MINIMAX_API_KEY is set. Use --no-segment for local-only transcription and install dependencies from trusted sources.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill states that extracted transcript text is sent to an OpenClaw built-in LLM for semantic segmentation, but the documentation does not present this as a clear privacy/data-handling warning before use. Users may reasonably assume transcription remains fully local because Whisper is described as local, causing inadvertent disclosure of potentially sensitive spoken content to another model or service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal