ClawHub
Back to skill

Security audit

Douyin Super Agent

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a real Douyin/video transcription tool, but it can send audio to remote ASR services by default and automatically stores transcript snippets without clear consent or retention controls.

Review before installing, especially for private, confidential, copyrighted, or regulated audio/video. Use it only if you accept that transcription may use remote qwen-asr or Tencent Cloud and that transcript snippets may be saved into a local memory store. Prefer a clearly local Whisper-only configuration and disable or remove memory-manager writes unless the publisher adds explicit consent, retention, and deletion controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def memory_add(content, cat='knowledge'):
    try:
        subprocess.run(
            ['python3', MEMORY_CORE, 'add', content[:200], cat],
            capture_output=True, text=True, timeout=5,
        )
Confidence
93% confidence
Finding
subprocess.run( ['python3', MEMORY_CORE, 'add', content[:200], cat], capture_output=True, text=True, timeout=5, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation declares shell execution and file-writing behavior, but there is no explicit permission model or user-consent boundary described for those capabilities. In this context, the skill downloads content, invokes external binaries like curl, ffmpeg, uv, and mcporter, and writes outputs to the desktop, so undeclared execution and write capabilities increase the risk of unexpected filesystem changes or command abuse if downstream scripts are unsafe or inputs are not validated.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented behavior conflicts with the stated description and safety claims: the skill says it is free and does not upload data, yet it also describes optional remote/cloud ASR and memory-manager storage. This mismatch is security-relevant because users may provide private audio or links under false assumptions about local-only processing, leading to unintentional disclosure to third-party services or persistence in external stores.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The security declaration explicitly says 'no data upload,' but the same document advertises qwen-asr and Tencent Cloud ASR as available processing paths. That contradiction can mislead users into sending audio or transcript data to remote services without informed consent, which is especially dangerous for sensitive recordings, private speech, or regulated data.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill stores transcript excerpts in a separate memory-manager knowledge base, which exceeds the user-visible purpose of Douyin processing and introduces silent secondary data use. This is dangerous because users may submit private or copyrighted media expecting one-time processing, not retention in another subsystem.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code automatically stores transcript excerpts into an external memory system after video processing, without any consent gate or necessity for core functionality. This creates unauthorized retention and possible disclosure of sensitive speech content beyond the expected task boundary.

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The audio-processing path is labeled as pure transcription, yet it also persists transcript content into memory-manager. That mismatch is dangerous because it obscures data retention behavior and prevents informed consent for potentially sensitive audio content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that outputs are automatically saved to the Desktop and that processing records are written to a local memory store, but it does not clearly disclose this as a privacy-relevant behavior or explain retention. Users may unintentionally leave sensitive transcripts, media, or metadata persisted on shared or monitored machines.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README advertises remote/cloud ASR fallback paths such as qwen-asr and Tencent Cloud without clearly warning that user audio, extracted speech, or derived content may be transmitted to third-party services. This creates a meaningful confidentiality risk, especially because users may assume the tool is entirely local or 'zero configuration' and process sensitive recordings without informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Audio is sent to external ASR providers and transcript text is later stored in memory without explicit warning, consent, or privacy controls. In a media-processing skill, this materially increases risk because user-submitted content may include personal, confidential, or regulated information.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill automatically writes transcript content both to local files and to memory storage, with no safeguards for sensitive content. This is dangerous because transcriptions can contain personal data, secrets, or copyrighted material that become persistently stored without limits or user approval.

Unpinned Dependencies

Low
Category
Supply Chain
Content
faster-whisper>=1.0.0
ffmpeg-python>=0.2.0
edge-tts>=6.1.0
requests>=2.31.0
Confidence
95% confidence
Finding
faster-whisper>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
faster-whisper>=1.0.0
ffmpeg-python>=0.2.0
edge-tts>=6.1.0
requests>=2.31.0
Confidence
95% confidence
Finding
ffmpeg-python>=0.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
faster-whisper>=1.0.0
ffmpeg-python>=0.2.0
edge-tts>=6.1.0
requests>=2.31.0
Confidence
95% confidence
Finding
edge-tts>=6.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
faster-whisper>=1.0.0
ffmpeg-python>=0.2.0
edge-tts>=6.1.0
requests>=2.31.0
Confidence
98% confidence
Finding
requests>=2.31.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
requests

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.