Douyin Data Method

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Douyin data-query skill that uses a third-party API key, with no executable installer, persistence, or hidden file behavior found.

Install only if you trust the MaxHub/aconfig.cn API service with your MAXHUB_API_KEY and Douyin query data. Do not provide Douyin session cookies unless you fully understand the account-access risk; keep API keys out of chat output and use the skill for user-directed data lookup and analysis rather than automated account actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 83% confidence
Finding: The skill is presented as a read-oriented Douyin data query method, but later expands scope to include app-interaction triggers and protocol tooling. This mismatch can cause operators or higher-level orchestration to trust the skill with broader capabilities than expected, increasing the risk of unintended actions or sensitive identifier transformations under a misleading label.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal