抖音搜索关键词

Security checks across malware telemetry and agentic risk

Overview

This skill coherently fetches public Douyin analytics through a third-party API and saves result files locally as documented.

Install only if you are comfortable sending Douyin queries and creator URLs to the GUAIKEI API service and storing returned result data in local log files. Treat GUAIKEI_API_TOKEN as a private API key and delete the logs directory when you no longer need retained search or competitor-analysis results.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The CLI persists the full fetched Douyin results to a local JSON file without an explicit opt-in or clear disclosure to the user. Even if intended for convenience/debugging, this creates unnecessary local data retention and can expose scraped content or metadata to other local users, backups, or downstream processes, which exceeds the apparent read/analyze behavior of the skill.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The CLI presents itself as a search/output tool but unconditionally writes the full search result payload to log storage via log.taskWrite, including the user keyword and returned content metadata. In a public-data analytics skill, this creates an information disclosure and data retention risk because operators or other local users may access stored query history and results that the user did not explicitly consent to persist.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal