ClawHub

抖音下载器(Node.js)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Douyin downloader and transcription helper, with privacy and file-output caveats users should understand.

Install only if you are comfortable downloading Douyin media locally and sending extracted audio to SiliconFlow for transcription. Use a dedicated API key, choose the output directory carefully, and only process media you have permission to download or transcribe.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises downloading third-party media and extracting speech text using an external service, but it does not warn users about copyright/privacy implications or that audio content may be transmitted off-platform to SiliconFlow. This can lead users to unknowingly process protected or sensitive content and expose it to a third party via their API key.

External Transmission

Medium
Category
Data Exfiltration
Content
'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 17_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) EdgiOS/121.0.2277.107 Version/17.0 Mobile/15E148 Safari/604.1'
};

const DEFAULT_API_BASE_URL = 'https://api.siliconflow.cn/v1/audio/transcriptions';
const DEFAULT_MODEL = 'FunAudioLLM/SenseVoiceSmall';

// 工具函数:Promise 版本的 http 请求
Confidence
89% confidence
Finding
https://api.siliconflow.cn/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal