douyin-downloader-pro

Security checks across malware telemetry and agentic risk

Overview

This is a Douyin media downloader, but it asks users to put logged-in browser cookies into the script without clear credential-safety warnings.

Review before installing. Use it only for content you are allowed to access and save. Avoid adding browser cookies; if you must, treat them like passwords, keep them out of source control and shared logs, and remove them immediately after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill clearly instructs the agent to fetch remote Douyin URLs and download media, which is a network-capable action, but the skill metadata does not declare that permission. Undeclared network capability weakens policy enforcement and user transparency, and in this context it is more concerning because the workflow explicitly follows redirects, contacts third-party endpoints, and suggests adding authentication cookies to requests.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README explicitly instructs users to paste logged-in browser cookies into the script to bypass anti-bot controls, but gives no warning about credential sensitivity, storage risks, or scope limitation. Because Douyin session cookies can authenticate the user, embedding them in local scripts or logs can expose account access if the file is shared, committed, or read by other processes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal