ClawHub

抖音搜索爬虫

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Douyin search scraper that uses Playwright and network requests for its stated purpose, with no evidence of credential theft, hidden persistence, or unrelated data access.

Install only if you are comfortable with browser automation that visits Douyin and may trigger anti-bot checks or platform-rate limits. Use it for explicit Douyin search or hot-list requests, keep limits modest, and avoid logging into personal accounts while running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The skill advertises broad natural-language triggering such as general Chinese search requests without defining tight activation criteria. In an agent environment, this can cause accidental invocation from ordinary conversation, leading to unexpected browser automation, network access, or scraping activity the user did not explicitly authorize.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The integration guidance tells the agent to automatically execute a command whenever the user makes a natural-language search request, but it does not define refusal conditions, approval gates, or scope limits. That makes prompt-triggered tool use too permissive and increases the chance of unintended command execution, excessive scraping, or misuse in contexts where the user only wanted discussion rather than action.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The example trigger phrases are very broad, generic user utterances such as "海鲜视频" and "抖音热榜有什么", which can cause the skill to activate on ordinary conversation rather than clear, intentional invocation. In an agent setting, this increases the chance of unintended browser automation and scraping actions being performed without sufficiently explicit user intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal