Douyin Video Skills

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Douyin video search and transcription skill, but it uses a logged-in browser profile and sends extracted audio to SiliconFlow for transcription.

Install only if you are comfortable using a dedicated Douyin browser profile, storing a SiliconFlow API key, downloading selected videos locally, and sending extracted audio to SiliconFlow for transcription. Keep output folders private because they can contain source links, transcripts, metadata, and local profile paths, and make sure your use complies with applicable copyright, platform, and privacy rules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Tainted flow: 'share_url' from requests.get (line 77, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: raise ValueError("未找到有效的分享链接") share_url = urls[0] share_response = requests.get(share_url, headers=HEADERS) share_response.raise_for_status() video_id = share_response.url.split("?")[0].strip("/").split("/")[-1] share_url = f'https://www.iesdouyin.com/share/video/{video_id}'
Confidence: 91% confidence
Finding: share_response = requests.get(share_url, headers=HEADERS)

Tainted flow: 'video_info' from os.getenv (line 269, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: if show_progress: print(f"正在下载视频: {video_info['title']}") response = requests.get(video_info['url'], headers=HEADERS, stream=True) response.raise_for_status() total_size = int(response.headers.get('content-length', 0))
Confidence: 90% confidence
Finding: response = requests.get(video_info['url'], headers=HEADERS, stream=True)

Tainted flow: 'files' from open (line 193, file read) → requests.post (network output)

High

Category: Data Flow
Content: } headers = {"Authorization": f"Bearer {self.api_key}"} try: response = requests.post(self.api_base_url, files=files, headers=headers) response.raise_for_status() result = response.json() if 'text' in result:
Confidence: 97% confidence
Finding: response = requests.post(self.api_base_url, files=files, headers=headers)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill declares no permissions while clearly requiring environment access, filesystem reads/writes, network access, and shell execution. This undermines informed consent and security review because operators may run a skill with broader capabilities than expected, increasing the chance of unauthorized data access, local file modification, or outbound transmission.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior emphasizes web search, filtering, and title validation, but the skill also supports direct share-link processing, video downloading, audio extraction, and third-party transcription API calls. This mismatch is security-relevant because users may not realize the skill can bypass the described review flow, download content locally, and transmit derived data externally.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The file implements watermark-free video downloading and local saving, which exceeds the declared skill purpose of search, filtering, link retrieval, and text extraction/correction. Capability drift is security-relevant because users and platform reviewers may not expect content downloading behavior, especially one designed to bypass watermarking.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The code integrates with an external transcription API and depends on an API key, but that outbound data transfer is not disclosed in the skill description. This mismatch reduces informed consent and can expose sensitive audio/content to a third party unexpectedly.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The description does not prominently warn that the skill downloads videos, writes transcripts and metadata to disk, and sends audio to an external ASR provider. In this context, the omitted disclosure is dangerous because the skill processes potentially sensitive copyrighted or account-associated content, and users may unknowingly expose data to third parties or leave artifacts on local storage.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Audio is transmitted to an external API at the point of transcription without a clear user-facing warning or just-in-time consent. In a media processing skill, this is particularly important because spoken content may include personal, confidential, or copyrighted material.

External Transmission

Medium

Category: Data Exfiltration
Content: 'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 17_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) EdgiOS/121.0.2277.107 Version/17.0 Mobile/15E148 Safari/604.1' } DEFAULT_API_BASE_URL = "https://api.siliconflow.cn/v1/audio/transcriptions" DEFAULT_MODEL = "FunAudioLLM/SenseVoiceSmall"
Confidence: 87% confidence
Finding: https://api.siliconflow.cn/

VirusTotal

No VirusTotal findings

View on VirusTotal