ClawHub

抖音作品爬取

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed Douyin lookup tool using RedFox APIs, with manageable cautions around third-party data submission and partial API-key logging.

Install only if you are comfortable sending Douyin names or IDs to RedFox and using a RedFox API key/credits. Avoid running it in shared logs or screenshots until the partial API-key print is removed, and use precise Douyin IDs when querying or submitting accounts for indexing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata says it fetches Douyin account info and recent works, but the implementation also supports submitting upstream account ingestion/synchronization requests. This expands the tool's behavior beyond passive viewing into triggering remote data collection workflows, which is a capability mismatch and can cause users to initiate third-party processing they did not expect.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The CLI path allows a user to invoke --sync and trigger a remote account collection request, even though the advertised purpose is viewing/crawling works. That creates an undisclosed action path that can submit third-party identifiers to an external service and alter upstream state, which is riskier than a read-only lookup tool.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README instructs users to invoke the skill through broad natural-language requests rather than a narrowly scoped command or explicit consent flow. This increases the chance of accidental or contextually inappropriate activation, especially in conversations about competitor monitoring or data collection, causing the agent to retrieve external account data when the user did not clearly intend to use this specific skill.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example phrase about checking a competitor's account is broad enough to overlap with ordinary analytical or marketing requests, making unintended tool selection more likely. Because the tool retrieves structured third-party content and engagement data, mistaken activation could expose or process data beyond what the user expected in a general discussion.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes exporting structured account and works data but provides no privacy, retention, downstream sharing, or lawful-use guidance. Even if the data is sourced from a platform service, packaging and exporting it at scale can increase privacy, profiling, and misuse risks, particularly for competitor intelligence or creator monitoring use cases.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README instructs users to trigger the skill with broad natural-language phrases but does not define clear boundaries, exclusions, or confirmation requirements. In an agent environment, this can cause accidental invocation on ambiguous requests, leading to unintended external queries or submission actions against third-party services.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill description emphasizes querying Douyin accounts and submitting unlisted accounts for collection, but it does not clearly warn users that their request may result in external data retrieval or outbound submission to a third-party platform. This lack of notice undermines informed consent and can expose user-provided identifiers to external services without explicit acknowledgement.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad natural-language expressions without clear exclusions or narrowing conditions, which can cause the skill to activate in unintended contexts. In a skill that performs external lookups and potential submission actions, accidental invocation can leak user-provided account identifiers to a third-party service or produce unauthorized external requests.

Vague Triggers

Low
Confidence
74% confidence
Finding
The instruction to configure trigger words for conversational invocation lacks a defined scope, precedence, or safety limits, increasing the chance of ambiguous activation. While primarily a routing/control issue, it becomes security-relevant because this skill performs external API calls and may submit account identifiers for collection.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill description does not clearly inform users that supplied Douyin names/IDs may be sent to an external RedFox API, nor that an account-submission request may be made for unindexed accounts. This lack of disclosure is dangerous because users may unknowingly transmit third-party identifiers or request external processing without informed consent, creating privacy, compliance, and trust risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The request helper sends user-supplied account identifiers to a third-party API endpoint, and the overall workflow returns profile and works data from that provider without clear disclosure that user input is being transmitted off-platform. In a data-collection skill, this is especially sensitive because account identifiers and retrieved profile/work metadata may be personal or regulated data depending on use context.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script loads an API key from an environment variable and later prints the first characters of the credential to console. Even partial credential exposure can leak identifying token material into logs, screenshots, shared terminals, or CI output, increasing the chance of credential correlation or accidental disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal