抖音自动发布

Security checks across malware telemetry and agentic risk

Overview

This Douyin publishing skill is mostly coherent, but it uses a metered third-party platform flow and defaults to sending platform credentials over unencrypted HTTP.

Review before installing. Use only if you trust the easyclaw/CHANJING platform, set CHANJING_PLATFORM_BASE_URL to an HTTPS endpoint, confirm the point cost before each publish, and protect or delete the saved Douyin cookie files because they can represent a logged-in account session.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill advertises and documents use of environment variables, cookie files, network access, and shell-executed Python scripts, but it does not declare permissions accordingly. This weakens user consent and reviewability because the skill can access authentication material, write local files, and call external services without an explicit capability declaration.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The description frames the skill as simple Douyin auto-publishing, but the documented behavior also captures and stores login cookies, validates account sessions, and sends data to an external platform for authorization and result reporting. That mismatch is security-relevant because users may provide sensitive cookies and API credentials without understanding that a third-party service is involved.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill advertises direct Douyin publishing, but hard-codes a third-party platform endpoint and user portal unrelated to Douyin itself. This creates a supply-chain and data-routing risk because users may unknowingly send content and credentials to an external service not disclosed by the manifest.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The code reads credentials for a separate platform service from environment variables and prepares them for outbound requests. In context, this is risky because the skill's stated purpose is Douyin automation, so collecting unrelated service secrets broadens trust and may expose users to undisclosed credential use.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The request function performs generic API calls to the external platform rather than to Douyin, contradicting the manifest's direct-publishing claim. This mismatch is dangerous because it can mislead operators about where videos, metadata, and secrets are being sent, undermining informed trust decisions.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script does more than local browser automation: it sends publish metadata to a separate backend for authorization and reports success/failure back, which expands data exposure beyond the stated Douyin-only purpose. Even though the transmitted payload is limited to filenames, title, tags, schedule time, grant ID, and status, this is still an undocumented external control/reporting channel that can leak operational metadata and create a hidden dependency on a third-party service.

Context-Inappropriate Capability

Low

Confidence: 83% confidence
Finding: The script redirects stdout/stderr to a persistent log file and installs a global exception hook, so runtime details such as video paths, titles, tags, schedule time, and stack traces may be written to disk. In a publishing automation context this can expose sensitive operational metadata or local filesystem information to other local users or later collection processes, especially because retention and access controls are not defined.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README states that publishing will deduct user points as part of the normal flow, but it does not describe any explicit user confirmation, pre-charge notice, or informed consent step. In an automation skill that performs actions on behalf of the user, silent charging increases the risk of unexpected account depletion and deceptive billing behavior.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README documents that the script will contact a platform API for authorization and report publish success or failure, but it does not clearly disclose what data is transmitted, to whom, or under what privacy protections. Because this skill automates posting to a third-party creator platform using local cookies and local files, undisclosed data transfer materially increases privacy and trust risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation instructs users to capture and store Douyin authentication cookies and configure API credentials, but it omits warnings about the sensitivity of those secrets, storage risks, and how they may be transmitted or used. In a skill that automates publishing, stolen cookies or API keys could enable account takeover, unauthorized posting, or abuse of the linked platform account.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The default platform URLs use plain HTTP, not HTTPS, while the client sends authentication headers containing API credentials. This allows interception or modification by a network attacker via man-in-the-middle attacks, leading to credential theft and request tampering.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal