Back to skill

Security audit

抖音评论分析

Security checks across malware telemetry and agentic risk

Overview

The skill’s Douyin comment-analysis purpose is coherent, but it needs review because it creates local HTML reports containing commenter metadata and can insert unescaped analysis content into a browser-opened report.

Install only if you are comfortable sending Douyin video IDs to RedFox and storing comment reports locally. Treat REDFOX_API_KEY as a secret, avoid sharing generated reports unless IP-region and user metadata are acceptable, and prefer a version that escapes or sanitizes analysis text before opening HTML reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to access environment variables, read and write local files, and make network requests, but it does not declare these permissions explicitly. This creates a transparency and consent problem: users and policy layers may not realize the skill can fetch remote data, persist HTML locally, and open files, increasing the chance of unintended data exposure or unsafe execution paths.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README says users can invoke the skill by 'simply describ[ing] what you need in natural language' with 'no commands to memorize,' which creates very loose activation boundaries. In an agent environment, broad natural-language triggering can cause accidental invocation from ordinary conversation or neighboring context, leading to unintended external requests, comment retrieval, and report generation.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The example phrase 'Check the comments on this video for me' is generic everyday speech and does not clearly signal that the Douyin-specific skill should run. In a multi-skill assistant, such overlap increases the chance of misrouting, unintended use of this skill on ambiguous input, and unnecessary transmission of links or identifiers to external services.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README advertises very broad natural-language triggers, including a generic phrase like “下一页”, without clearly scoping it to an active comment-browsing session. In agent environments, overly generic triggers can cause accidental invocation or unintended continuation of a prior workflow, which may fetch more external data or reveal previously retrieved comment content when the user did not mean to operate this skill.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill highlights convenience and sharing/export features but does not clearly warn users that it collects and displays comment metadata including commenter IP region and supports report export/share. This creates a privacy and data-handling risk because users may redistribute reports containing personal or quasi-personal metadata without realizing what is included.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger words include broad phrases such as comment lookup/analysis that can overlap with ordinary conversation, making accidental invocation more likely. In this skill, accidental activation is more concerning because invocation can lead to outbound network requests and local report generation, not just harmless text processing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill automatically generates an HTML report and later instructs opening it locally, but the description does not adequately warn users about local file creation and opening browser-renderable content. Even if the HTML is generated by the tool, it contains externally sourced comment data and URLs, so writing and opening it can expose users to privacy leakage, unwanted persistence, or content-based script/link risks depending on how the generator sanitizes output.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The authentication section tells users to store an API key in a local config file or environment variable but does not warn that the key is a sensitive credential. Without guidance on least-privilege storage and file permission hygiene, users may expose the key to other local users, logs, backups, or accidental sharing of configuration files.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The template explicitly includes an “IP属地” column, exposing commenter location metadata in the generated report without any notice, minimization, or access-control context. Even if the source platform exposes this data, republishing it in an analysis report increases privacy risk and may violate internal policy or user expectations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Untrusted fields from the analysis JSON are inserted directly into the HTML report without escaping or sanitization, so attacker-controlled content can become active HTML or JavaScript in the generated report. In this skill context, comment-analysis output may incorporate model-generated summaries or text derived from external platform content, making stored XSS in the local report plausible when the HTML is later opened in a browser.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
def get_api_key() -> str:
    val = os.environ.get("REDFOX_API_KEY", "")
    if not val:
        print("[error] 未找到环境变量 REDFOX_API_KEY,请确认已设置 API Key", file=sys.stderr)
        print("[hint] 获取 API Key: https://redfox.hk/settings/api-keys?source=clawhub", file=sys.stderr)
Confidence
70% confidence
Finding
os.environ.get("REDFOX_API_KEY

Hidden Instructions

High
Category
Prompt Injection
Content
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>抖音评论分析 - {{VIDEO_ID}}</title>

<!-- Fonts -->
<link rel="preconnect" href="https://fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link href="https://fonts.googleapis.com/css2?family=Archivo+Black&family=Space+Grotesk:wght@300;400;500;600;700&display=swap" rel="stylesheet">
Confidence
70% confidence
Finding
<!-- Fonts --> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Arc

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.