ClawHub
Back to skill

Security audit

Douyin Mini Game Unity

Security checks across malware telemetry and agentic risk

Overview

This is documentation-only and not malware, but it contains copyable payment and debug/privacy examples that could lead developers to ship unsafe production behavior.

Install only if you want a broad Douyin Unity API reference and will review generated code before use. Treat its payment examples as unsafe until changed to grant entitlements only after backend-verified payment confirmation, and add production gating, authorization, privacy notices, redaction, and data minimization around debug commands, analytics, logs, clipboard, recording, and share links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The example for direct item purchase treats the client-side Success callback as proof of completed payment and immediately grants the item. The same document later states that client callbacks only indicate checkout/UI success and that final payment status must be confirmed by server callback, so this pattern can let users receive items without verified settlement if checkout is interrupted, spoofed, rolled back, or disputed.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The full-flow PurchaseItem method labels Success as a successful purchase and calls GrantItemImmediately, directly contradicting the document's own guidance that client callback results do not prove funds were received. In a payment integration reference, this is especially dangerous because developers are likely to copy the sample verbatim into production, enabling fraudulent or inconsistent entitlement grants.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The debug command examples expose handlers that manipulate live game state such as adding resources and jumping levels, which goes beyond a UI/rendering reference and normal diagnostics. If developers copy this pattern into builds without strong environment gating, authentication, or removal in production, it can create cheat/debug backdoors that enable privilege abuse and integrity violations.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The text frames RegisterCommandEvent as a developer-tool interaction feature, but the sample callbacks implement GM-style operations with direct gameplay effects. That mismatch normalizes unsafe use of a debug channel for privileged actions, increasing the chance that integrators ship latent admin functionality accessible through tooling or other command injection paths.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation examples log environment and launch metadata such as AppId, host environment, launch source, scheme query, and later location/launch parameters directly to debug output. In a game SDK context, these fields can contain sensitive identifiers or user/context data, and developers may copy these examples into production builds without adding privacy controls, causing inadvertent data exposure through logs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The clipboard example encourages reading arbitrary system clipboard contents and acting on them automatically, but it does not mention user consent, privacy implications, or the risk of processing sensitive data unintentionally copied from other apps. In a game SDK reference, this can normalize privacy-invasive behavior and lead developers to implement clipboard scraping without notice or validation.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The document promotes screen recording and automatic share prompts (`IsShowVideoShareToast = true`) without explicitly warning that gameplay, user communications, or other personal data may be captured and surfaced for sharing. In a game SDK context, this can lead developers to implement recording/sharing flows without clear consent UX, increasing privacy and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The share examples embed `inviterId=12345` and similar state into query parameters without warning that identifiers in share links can expose personal or trackable information to recipients, logs, analytics systems, or downstream handlers. Because sharing is a cross-user distribution feature, documenting raw identifiers as normal practice can encourage privacy-unsafe implementations.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The invite-state example logs user nicknames and IDs directly, which can expose personal data in client logs, debug consoles, crash reports, or analytics pipelines. While common in sample code, normalizing this pattern in SDK documentation can lead to unnecessary retention and disclosure of user data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This documentation explicitly promotes analytics reporting APIs such as `TT.ReportAnalytics` and `TT.ReportScene` and includes examples sending gameplay and purchase-related event data, but it provides no warning about privacy obligations, consent requirements, data minimization, or restrictions on transmitting personal or sensitive data in event payloads. In an SDK reference skill used by developers, that omission can directly encourage unsafe instrumentation patterns and lead to noncompliant or excessive user-data collection.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The direct-purchase sample omits a clear warning that the Success callback is not final payment confirmation and then immediately grants the item. Even if partially overlapping with the stronger SDI-4 finding, the missing warning materially increases the likelihood that integrators will implement insecure fulfillment logic.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The complete-flow example is presented as recommended practice yet immediately fulfills the item in the client Success callback without an explicit warning about false-positive success states. Because this is the 'full flow' sample, the misleading guidance has a high chance of propagation into real payment code, increasing fraud and accounting inconsistency risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example explicitly shows use of a realtime log manager that uploads logs to the Douyin backend, but it does not warn developers not to include user identifiers, tokens, payment data, or other personal/sensitive information, nor does it mention transparency/consent requirements where applicable. In a reference skill, omission of these safeguards can lead downstream developers to implement privacy-impacting telemetry by default and unintentionally exfiltrate sensitive runtime data.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
同步方法(后缀 Sync): AccessSync(path)→bool, CopyFileSync/MkdirSync/RenameSync/RmdirSync/UnlinkSync/TruncateSync(src,dest), ReaddirSync(dirPath)→string[], ReadFileSync(path,enc)→string/byte[], WriteFileSync/AppendFileSync(path,data,enc), StatSync(path)→Stats, OpenSync(path,flag)→fd, CloseSync(fd), WriteSync/ReadSync(fd,data/buf,enc), FstatSync(fd)→Stats, FtruncateSync(fd,len)

异步方法: Access/CopyFile/Mkdir/Readdir/ReadFile/WriteFile/AppendFile/Rename/Rmdir/Unlink/Stat/Open/Close/Write/Read/Fstat/Ftruncate/Truncate(同上, 加 callback)

特殊: ReadCompressedFile(path, Action\<string\>), GetSavedFileList(Action\<List\<string\>\>), GetFileInfo(path, Action\<object\>), ReadDir/ReadDirSync(Readdir 别名)
Confidence
85% confidence
Finding
Rmdir/Unlink/Stat/Open/Close/Write/Read/Fstat/Ftruncate/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
---

### 3.10 Rmdir / RmdirSync

**说明**: 删除目录。
Confidence
26% confidence
Finding
Rmdir /

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal