ClawHub

Douyin 抖音 Content Insights MCP

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed read-only Douyin research plugin that forwards tool requests to a fixed hosted SocialDataX MCP service using an API key.

Install only if you are comfortable sending Douyin research inputs and the SocialDataX API key to the hosted mcp.52choujiang.com service. Avoid submitting sensitive private targets or confidential research terms unless the provider's privacy and retention practices are acceptable to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This plugin forwards user-supplied parameters such as keywords, URLs, profile links, aweme IDs, and comment IDs to a third-party remote MCP endpoint over HTTP(S) without any in-file disclosure, consent mechanism, or minimization controls. In an agent setting, users may reasonably believe inputs are handled locally, so silent transmission of potentially sensitive research targets, shared links, or identifiers creates a privacy and data-governance risk even if the transport is authenticated and uses HTTPS.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest clearly requires an API key and sends requests to a third-party hosted service, but the user-facing text does not plainly warn that user prompts, identifiers, URLs, and retrieved content may be transmitted off-platform to an external domain. In a tool that performs social-media research and analytics, this can expose potentially sensitive query data or target account information to the remote provider without sufficiently explicit consent or transparency.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest clearly declares that the plugin requires a SOCIALDATAX_API_KEY and communicates with an external hosted service at mcp.52choujiang.com, but the package description does not plainly disclose that user requests and associated data are sent off-device. In a research/data-insights plugin, this omission can mislead users about data handling boundaries and consent, especially when prompts, queries, or derived content may be transmitted to a third party.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal