ClawHub
Back to skill

Security audit

Douyin Quick Search

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Douyin search helper that uses web search and page fetching, with no code execution, credentials, persistence, or account changes shown.

Install only if you are comfortable with Douyin search terms and provided Douyin URLs being sent through external web search and page-fetching services. Do not provide Douyin cookies, passwords, private account links, or other sensitive information, and verify the install slug because the README command does not match the skill name.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README advertises very broad natural-language triggers such as generic search requests, which can overlap with ordinary user conversation and cause the skill to activate unintentionally. In an agent environment, ambiguous invocation increases the chance of unintended web searches, external requests, and content retrieval without clear user intent or explicit scoping.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The usage examples are common conversational phrases in Chinese with no scope constraints, making them likely to collide with everyday chat. Because this skill performs web search and scraping of an external site, accidental triggering can lead to unintended network access, retrieval of untrusted content, and confusing or privacy-impacting agent behavior.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes very generic phrases such as '抖音视频' and 'douyin search', which can match ordinary user requests that are not explicitly asking to invoke this skill. This can cause unintended activation, routing user queries into web scraping behavior unexpectedly and increasing the chance of overreach or confusing tool use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.