ClawHub

douyin-to-obsidian

Security checks across malware telemetry and agentic risk

Overview

This skill performs its stated transcript-to-Obsidian task, but it is built around bypassing Douyin anti-bot controls and includes unverified runtime binary downloads.

Install only if you are comfortable with a tool that automates Douyin access in ways intended to bypass platform protections. Use a virtual environment, manually install or verify FFmpeg instead of relying on the auto-download, pass only explicit public Douyin URLs, avoid logged-in/private content, and review the target Obsidian path before running because it writes Markdown files there automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (21)

Tainted flow: 'video_url' from requests.get (line 181, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
try:
            if "v.douyin.com" in video_url:
                print(f"检测到短链,正在解析真实地址:{video_url}")
                resp = requests.get(video_url, allow_redirects=True, timeout=10, headers={'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'})
                video_url = resp.url
                print(f"短链已解析为真实链接:{video_url}")
Confidence
87% confidence
Finding
resp = requests.get(video_url, allow_redirects=True, timeout=10, headers={'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'})

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and operationally depends on network access, local file writes, and likely environment interaction, yet no permissions are declared in the skill metadata. This creates a transparency and consent gap: users or hosting platforms may invoke a skill with side effects they were not clearly warned about, including writing notes locally and downloading binaries/models.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The extractor automatically downloads and installs an FFmpeg binary from the internet without signature or checksum verification. This introduces a software supply-chain risk: if the distribution site, network path, or downloaded archive is tampered with, the skill may place and execute untrusted binaries on the user's system.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code contains explicit anti-detection and platform risk-control bypass logic, including link transformation to avoid checks and browser fingerprint manipulation to hide automation. In the context of a scraping/transcription skill, this goes beyond normal functionality and materially increases the likelihood of unauthorized scraping, account controls evasion, and downstream abuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file states that the skill will automatically download FFmpeg and Whisper model files and requires access to external sites, but it does not clearly frame these as security-relevant behaviors with explicit user consent and trust implications. Automatic network retrieval of executables/models and local writes can expose users to unexpected binary installation, supply-chain risk, and policy violations, especially in an agent skill context where users may assume a documentation file is low risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README states that notes are automatically saved into a local Obsidian directory and even exposes a concrete default path, but it does not clearly warn users that local files will be created or modified automatically. This can lead to unintended writes into a personal knowledge base, accidental disclosure of extracted content, or overwriting/commingling data in a synced notes directory such as iCloud-backed Obsidian vaults.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README documents dependencies that perform browser automation, media download, HTTP requests, and automatic FFmpeg binary retrieval, but it does not clearly warn that using the skill triggers external network activity and downloads third-party content/binaries. In this context, the advertised 'bypass risk control' and anti-crawling behavior make the omission more concerning because users may unknowingly interact with remote services, download executable components, or process potentially sensitive media without informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that notes are automatically saved to a default Obsidian directory, including a concrete local path, but does not prominently warn users in the main description that it will write files to disk by default. Unexpected local writes can expose private data locations, overwrite user content, or cause users to process sensitive data without informed consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill automatically downloads FFmpeg and Whisper model files, but this behavior is only mentioned later in FAQ-style text rather than as a primary warning. Silent or poorly disclosed downloads introduce supply-chain, disk-usage, and network-consumption risks, especially when executable tooling like FFmpeg is fetched automatically.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The architecture explicitly states that the tool saves a generated Markdown file into the user's Obsidian directory, but the documentation does not warn users that running the skill causes local file writes. This is dangerous because users may invoke the skill expecting read-only processing, while it can modify a sensitive notes repository and potentially overwrite or introduce untrusted content into synchronized knowledge bases.

Ssd 2

Medium
Confidence
97% confidence
Finding
The description explicitly promotes bypassing Douyin risk controls, which are anti-bot or anti-abuse protections. A skill designed to evade platform defenses materially increases the likelihood of unauthorized scraping, account enforcement actions, and broader abuse of the target platform.

Ssd 2

High
Confidence
99% confidence
Finding
The feature list explicitly states that the tool bypasses sliding captcha and SSR data blocking, which are concrete anti-automation safeguards. This is not incidental wording; it signals intentional evasion capability that can be weaponized for large-scale scraping or access beyond intended controls.

Ssd 2

High
Confidence
98% confidence
Finding
The anti-crawling section provides actionable evasion guidance, including fingerprint customization, redirect handling, and techniques framed as bypassing risk controls. In context, this materially increases danger because the skill is purpose-built for extracting Douyin content while avoiding detection, rather than for legitimate browser testing or research in a controlled environment.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
aiohttp>=3.9.0
ffmpeg-python>=0.2.0
openai-whisper>=20231117
Confidence
95% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
aiohttp>=3.9.0
ffmpeg-python>=0.2.0
openai-whisper>=20231117
openai>=1.0.0
Confidence
95% confidence
Finding
aiohttp>=3.9.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
aiohttp>=3.9.0
ffmpeg-python>=0.2.0
openai-whisper>=20231117
openai>=1.0.0
playwright>=1.40.0
Confidence
94% confidence
Finding
ffmpeg-python>=0.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
aiohttp>=3.9.0
ffmpeg-python>=0.2.0
openai-whisper>=20231117
openai>=1.0.0
playwright>=1.40.0
Confidence
95% confidence
Finding
openai-whisper>=20231117

Unpinned Dependencies

Low
Category
Supply Chain
Content
aiohttp>=3.9.0
ffmpeg-python>=0.2.0
openai-whisper>=20231117
openai>=1.0.0
playwright>=1.40.0
Confidence
95% confidence
Finding
openai>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
ffmpeg-python>=0.2.0
openai-whisper>=20231117
openai>=1.0.0
playwright>=1.40.0
Confidence
95% confidence
Finding
playwright>=1.40.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
requests

Known Vulnerable Dependency: aiohttp — 10 advisory(ies): CVE-2024-52303 (aiohttp has a memory leak when middleware is enabled when requesting a resource ); CVE-2026-34514 (AIOHTTP has CRLF injection through multipart part content type header constructi); CVE-2026-34517 (AIOHTTP has late size enforcement for non-file multipart fields causes memory Do) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
aiohttp

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal