douyin-to-text

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed wrapper for a Douyin transcription CLI, with expected network and API key use for that purpose.

Install only if you trust dytext.cn and the dytext-cli npm package. Expect Douyin links and your dytext API key to be sent to the dytext service, and protect the local `~/.dycaption` credential file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The description lists triggers such as '用户要求提取抖音视频文案/字幕' and '用户发送抖音分享链接需要转文字', but it does not define clear boundaries, explicit trigger phrases, or negative examples. It also includes '用户查询积分余额或转写历史', which is broad account-related language that could cause unintended invocation when users ask generally about balances or history.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal