ClawHub

抖音账号诊断宗师

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Douyin analytics integration that sends account names or IDs to Redfox for lookup and report generation, with no evidence of hidden exfiltration or destructive behavior.

Install only if you are comfortable using a Redfox API key and sending Douyin account names or IDs to Redfox. Be especially careful with the not-found enrollment option, because replying with an account ID submits it to Redfox for asynchronous collection rather than only doing a one-time lookup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The fallback behavior expands from diagnosis into account-submission/collection and promises a later push, which is a material scope change from the skill’s stated purpose. That can lead to unauthorized data handling, unexpected retention, or out-of-band follow-up behavior the user did not clearly consent to within a diagnosis workflow.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The documented fallback to general web search broadens the skill from a constrained Redfox-API diagnosis tool into an open-ended data gathering workflow. This increases privacy, provenance, and prompt-scope risk because results may come from untrusted sources and the user is not clearly warned at invocation time that their query may be sent beyond the named API provider.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill includes a write-side capability to submit Douyin account IDs to Redfox's collection/sync queue, which exceeds the declared read-only diagnosis purpose. This creates an undisclosed side effect on a third-party backend and could cause user-supplied identifiers to be ingested or queued without clear consent or necessity.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The `sync_account` method is a backend data-ingestion action that is not justified by the stated account-diagnosis use case. In agent environments, extra capabilities are risky because they can be invoked through prompt or workflow abuse to perform unintended external actions on third-party systems.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The README states that users can invoke the skill with natural language and "no fixed commands to memorize," which creates loose activation boundaries. In an agent environment, this can cause the skill to trigger on ordinary discussion of Douyin analytics or quoted text, leading to unintended API calls, data processing, or disclosure of analysis results without a clear user intent confirmation step.

Vague Triggers

Low
Confidence
78% confidence
Finding
The example phrase "Liangtian Douyin analysis" is ambiguous because it resembles normal conversation rather than a clearly scoped tool invocation. In systems that auto-route based on semantic similarity, such phrasing increases the chance of accidental skill activation from incidental mentions, copied examples, or multi-intent requests.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Broad trigger phrases increase the chance of unintended invocation, causing the skill to activate on ambiguous requests and send account identifiers to an external service without clear user intent. In a data-querying skill, accidental invocation is more dangerous because it can initiate third-party transmission and paid API usage.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The natural-language trigger rules are loosely scoped, so common phrases combining a name with “diagnose/analyze” may activate the skill without sufficient context checks. Because the skill performs external lookups, unclear activation boundaries raise the risk of unintended data disclosure and unnecessary API calls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill does not prominently warn users that supplied account names or IDs will be transmitted to a third-party API provider. This undermines informed consent and creates privacy/compliance risk, especially when users may assume the analysis is performed locally by the assistant rather than by an external service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow instructs the agent to send user-provided Douyin account identifiers to a third-party API, but it does not require any user-facing notice, consent, or disclosure that the identifier and retrieved profile data will leave the platform. This creates a privacy and transparency risk because users may reasonably believe they are interacting only with the assistant, not authorizing external transmission of account-related data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The enrollment flow asks the user to reply with a Douyin ID and then submits it to an external synchronization queue, but the warning about asynchronous processing is incomplete and there is no explicit disclosure that the identifier is being sent to a third party for storage/processing. This is riskier than a simple lookup because it initiates background processing and potential retention without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code sends account IDs and account names to `redfox.hk`, a third-party API, without any visible user notice, consent flow, or data-minimization control. Even if the identifiers are public-facing handles, transmitting them to an external processor can create privacy, compliance, and trust issues, especially when users may expect local analysis.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal