Back to skill

Security audit

Maxhub Douyin

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly disclosed as a Douyin analytics tool, but it also exposes high-risk automation, session, anti-bot, messaging, and play-count manipulation capabilities that need review before use.

Install only if you intentionally need a high-risk Douyin/MaxHub integration and are prepared to review each restricted call. Avoid using primary account cookies, do not run play-count manipulation or anti-bot signing unless you fully understand the platform and compliance risk, and require explicit per-call approval for cookies, device/session generation, bulk extraction, private-message links, and any write-like endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (31)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill metadata and feature list explicitly advertise restricted capabilities such as write actions, session bootstrap, cookie/token input, anti-bot signature generation, and playback count changes, yet the '核心约束' section states it is read-only and does not perform write/account operations. This contradictory guidance can mislead an agent or operator into underestimating risk, causing sensitive session material or non-read-only endpoints to be used without the stricter confirmation and safety handling those actions require.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The index marks `query_user` as a high-risk write operation even though the name indicates a query helper, creating a dangerous documentation-to-behavior mismatch. In an agent setting, incorrect risk metadata can cause unsafe policy decisions, either allowing a sensitive endpoint under the wrong assumptions or misclassifying actions that should require stricter review.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
Several atoms with clearly read-oriented names are labeled as non-idempotent write operations, which can mislead an agent’s authorization and execution logic. Because this skill explicitly contains restricted capabilities and relies on metadata for safe orchestration, such mislabeling can lead to unintended invocation of collection, scraping, or side-effecting endpoints without the proper consent flow.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The whitelist for an analytics/query-oriented skill explicitly includes abuse-enabling, non-read-only functionality such as play-count manipulation. Even though the file labels these endpoints as restricted, their presence expands the reachable attack surface and creates a path for misuse if an agent mishandles confirmation logic or a user is socially engineered into approving the call.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill exposes session-bootstrap and anti-bot bypass helpers such as guest cookie/token generation and signature generation, which can facilitate evasion of platform protections and unauthorized automated access. In the context of a Douyin analytics skill, these capabilities are especially dangerous because they are not necessary for ordinary user-facing analysis and can be repurposed for scraping, impersonation, or anti-abuse circumvention.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
A private-message deep-link endpoint is outside the stated scope of data querying and content analysis, and it enables user-targeting behavior rather than passive analytics. This can be abused for unsolicited outreach, spam workflows, or coercive social engineering by steering users or agents into initiating contact with specific accounts.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Bulk identifier extraction endpoints materially increase the ability to enumerate users, videos, and webcast identifiers at scale, which exceeds typical research needs for a normal analytics workflow. In practice, these endpoints can accelerate scraping, profiling, and downstream abuse by converting public URLs into structured IDs in bulk.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This section exposes dedicated generators for anti-bot bypass artifacts and session identifiers that are explicitly meant for direct use against Douyin's original APIs rather than only the wrapper service. That materially expands the skill from read-oriented analytics into evasion-enabling infrastructure, which can be used to circumvent platform protections and facilitate unauthorized scraping or automation.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The X-Bogus and A-Bogus endpoints are described as producing core anti-crawling signatures for direct requests to Douyin's original Web APIs. Providing these primitives to an agent gives it the means to bypass access controls and make non-wrapper requests outside the stated business purpose, which is dangerous even if labeled restricted.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Device registration plus guest-cookie, msToken, ttwid, verify_fp, and s_v_web_id generation collectively provide session bootstrapping and fingerprinting capabilities that can impersonate or fabricate client context. In an analytics-oriented skill, this is more dangerous because it enables stealthier collection and access expansion rather than merely querying already-authorized data.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
A deep-link that initiates private messaging is a user-interaction/write-oriented capability, not a natural extension of a query-and-analysis skill. In an agent setting, exposing contact/engagement actions increases the risk of spam, harassment, or unauthorized outreach under the guise of an analytics tool.

Intent-Code Divergence

Medium
Confidence
76% confidence
Finding
The documentation labels the endpoint as a high-risk 'write_op' while simultaneously presenting it as a user-query helper, creating ambiguity about its true behavior and safety properties. Such mismatched intent signaling can cause agents or reviewers to under-estimate risk and invoke the endpoint in inappropriate contexts.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation inconsistently states that `uid` is the same as `short_id` for `web_handler_user_profile_v3`, while nearby endpoints treat `uid` and `short_id` as distinct identifiers. In an agentic workflow, this can cause the agent to send the wrong identifier to downstream endpoints, leading to incorrect data access, failed requests, or cross-user data retrieval if one ID namespace is mistakenly mapped onto another.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file says agents must not construct cookies themselves, but then instructs them to obtain cookies via helper endpoints such as `web_generate_ttwid` or `web_fetch_douyin_web_guest_cookie`. That contradiction weakens a key safety boundary around credential/session handling and may normalize agent-mediated session fabrication or silent credential acquisition, especially dangerous because several high-risk endpoints accept cookies to access likes, collections, and other sensitive user data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file documents endpoints that return creator and consumer portrait data including gender, age bands, region, interests, device distribution, and activity periods, but it provides no explicit privacy or sensitivity warning beyond a generic '需用户确认'. That omission can cause an agent or operator to treat demographic profiling as routine analytics, increasing the risk of over-collection, inappropriate use, or disclosure of sensitive aggregated audience data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This endpoint exposes a user's subscribed keywords, which can reveal interests, monitoring targets, or business research topics. The documentation only says '需用户确认' but does not explicitly frame the data as privacy-sensitive, require ownership/authorization checks, or prohibit access to third-party subscription data, making misuse more likely in an agentic setting.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Audience portrait retrieval exposes demographic and profiling data such as gender, age, region, and interests, which are sensitive analytics outputs and can support invasive targeting or profiling. In this skill, the feature is presented as a normal analysis tool with only a confirmation note, without warning about sensitivity, aggregation limits, compliance requirements, or restrictions on profiling use.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The manifest imposes a global pre-call verification protocol on every API call, including broad decision rules around path matching, required parameters, and user confirmation. While intended as a safety control, globally scoped natural-language directives can be brittle, inconsistently enforced by agents, and may create a false sense of safety if relied upon instead of hard technical controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The index explicitly advertises flows for obtaining and reusing visitor/App cookies, which are session-bearing credentials, but provides no inline privacy, consent, or account-impact warning at the point of use. In this skill’s context, those cookie flows are also chained into many downstream recipes, increasing the chance an agent will collect or reuse authentication material beyond a user’s informed intent.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The recipe chain explicitly supports达人搜索、粉丝分析、相似达人、达人对比 and UID→达人分析, but the file provides no user-facing warning that it performs profile/audience analysis on individuals based on keywords or supplied identifiers. This can lead to privacy-sensitive processing without informed user awareness, especially because the broader skill is not purely read-only and includes analytics on identifiable accounts.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This recipe requires a `cookie` input for multiple creator-data endpoints but provides no warning about the sensitivity of account cookies, the scope of data accessible through them, or safe handling expectations. In practice, session cookies can grant access to private creator analytics and account-linked data, so encouraging their use without explicit consent, minimization, and handling guidance increases the risk of credential misuse or inadvertent account compromise.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The recipe exposes a vision-search flow that takes an `image_uri` and sends it to a remote API, but it provides no notice, consent step, or data-handling warning to the user. Because image inputs can contain sensitive personal, biometric, location, or copyrighted content, silently uploading or processing them increases privacy and compliance risk, especially in an agent context where users may not realize a third-party service is involved.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The recipe explicitly instructs the agent to obtain a guest cookie and reuse it for subsequent Web endpoint calls, but it provides no user-facing warning, consent requirement, or explanation of session/privacy implications. Even if the cookie is 'guest' scoped, automated acquisition and reuse of session material can create tracking, policy, and privacy risks, especially when an agent performs it transparently on the user's behalf.

Missing User Warnings

High
Confidence
97% confidence
Finding
This recipe directs the agent to register a device in order to obtain an App cookie, which is more sensitive than a passive read-only call because it creates device/session state and may emulate a client environment. In the broader skill context, the metadata already notes restricted capabilities around device/session/signature assistance, so omitting explicit authorization and side-effect warnings materially increases the risk of unauthorized session creation, abuse of platform controls, or account/device policy violations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The recipe explicitly accepts a user's cookie to enumerate collections and then retrieve videos from those collections, but it only notes '需用户授权' without explaining the sensitivity of cookie handling, scope of access, retention expectations, or risks of exposing private account data. In this skill's context, this is more dangerous because the skill is not purely read-only and already includes higher-risk capabilities, so a weakly constrained cookie-based flow increases the chance of overcollection or misuse of authenticated data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.