ClawHub

抖音爆款爬虫 Pro

Security checks across malware telemetry and agentic risk

Overview

This is a real Douyin scraping skill, but it gives the agent broader browser and file-write authority than its Douyin-only purpose clearly limits.

Install only if you are comfortable with a skill that can run Playwright browser automation, install local dependencies, and write export files. Use it only for Douyin URLs, avoid logging into accounts, review output paths before saving, and consider adding URL allowlisting before using the analyze command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to execute shell commands, install dependencies, and write output files, yet it declares no permissions. That mismatch can cause an agent or reviewer to underestimate the skill’s real capabilities, increasing the chance of unsafe execution in environments that rely on declared permissions for policy decisions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
83% confidence
Finding
The documented behavior goes beyond simple scraping by including arbitrary URL analysis and installation flows that run npm/pip and Playwright setup commands. Description-behavior gaps are dangerous because they hide higher-risk actions such as dependency installation and container/image operations behind a seemingly narrow data-collection skill.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script accepts an arbitrary output path from command-line arguments and writes scraped data there with fs.writeFileSync without constraining the destination. In an agent context, this expands the skill from scraping into unrestricted local file write behavior, which can overwrite user files or place data in sensitive locations if an upstream caller passes a malicious path.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The analyze command accepts any user-supplied URL and loads it in an automated browser, even though the skill is described as a Douyin scraper. That broadens the tool into a generic web-fetch/browser-automation primitive, which can be abused to access unintended sites, trigger requests to internal or sensitive endpoints from the host environment, or interact with hostile pages.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Using Playwright to visit arbitrary URLs exposes a general-purpose browser request capability unrelated to the declared functionality of scraping Douyin content. In an agent setting, this increases risk because a caller can repurpose the skill to browse attacker-chosen pages, potentially reaching internal services or causing unintended network interactions from a trusted runtime.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README promotes scraping, searching, and exporting Douyin video metadata and copywriting content, but only gives general 'comply with rules' language and does not clearly address privacy, consent, data retention, or lawful handling of scraped personal/content data. In the context of a scraping skill, that omission increases the chance of misuse for bulk collection, profiling, or republishing of creator data without adequate safeguards.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases are very broad natural-language patterns like 'search', 'look at hot list', or 'analyze this link', without exclusion rules or confirmation gates. In an agent setting, loose triggers can cause accidental invocation of browser automation and shell-backed scraping workflows on unrelated user input or attacker-crafted prompts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal