Back to skill

Security audit

抖音爆款爬虫 v2

Security checks across malware telemetry and agentic risk

Overview

This skill is a Douyin trend/search-suggestion scraper whose network access and optional file output are consistent with its stated purpose.

Install only if you are comfortable with it downloading Playwright/Chromium and contacting Douyin APIs. Prefer the documented/default install path or official sources, and review any requested output path before using --output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation instructs users to run local scripts that use network, shell, environment access, and file output, but it does not declare any corresponding permissions or capability boundaries. This creates a transparency and least-privilege problem: an agent or user may invoke the skill without understanding that it can access external services and write files, increasing the chance of unsafe execution in a broader automation environment.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
Native mode downloads packages and browser binaries from network mirrors, including non-default mirror hosts, without integrity verification or prominent user warning. If those mirrors are compromised, misconfigured, or intercepted in the user's environment, the installer could fetch and execute untrusted code or binaries during setup.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.