ClawHub

抖音每日TOP账号

Security checks across malware telemetry and agentic risk

Overview

This Douyin ranking skill appears to do what it advertises, but it handles the API key too broadly and generates reports that run external browser code.

Review before installing. Use a limited RedFox API key, avoid letting the agent write it permanently into shell startup files, do not echo the full key in logs, and open generated HTML reports only if you are comfortable with them loading JavaScript from jsdelivr.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if system == "Darwin":  # macOS
            subprocess.run(["open", str(abs_path)], check=True)
        elif system == "Windows":
            subprocess.run(["start", "", str(abs_path)], shell=True, check=True)
        else:  # Linux
            subprocess.run(["xdg-open", str(abs_path)], check=True)
        print(f"\n✓ HTML 报告已自动打开: {abs_path}", file=sys.stderr)
Confidence
91% confidence
Finding
subprocess.run(["start", "", str(abs_path)], shell=True, check=True)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to persistently modify shell startup files or Windows user environment variables to install an API key, which exceeds the narrow purpose of querying rankings and generating reports. Persisting credentials changes the user's system state and can expose secrets to other tools, sessions, or users on the machine, especially without strong consent and security guidance.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The generated HTML loads `html2canvas` from a third-party CDN at runtime, which introduces external code execution in the user's browser whenever the report is opened. If the CDN is compromised, blocked, or substituted by a hostile network, the report can execute attacker-controlled JavaScript despite being generated locally.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill tells the agent to store the user's API key in persistent shell startup files or the Windows user environment without any warning about credential exposure, local multi-user access, shell history leakage, or reuse by unrelated skills. That creates a clear secret-handling risk because the API key becomes broadly available beyond the immediate task and may be disclosed during validation or later troubleshooting.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal