ClawHub

dy-caption

Security checks across malware telemetry and agentic risk

Overview

This skill transparently sends Douyin share content and a dy-caption API key to an external transcription service, which matches its stated purpose.

Install only if you trust dy-caption and api.dycaption.cn with the Douyin share text and your API key. Use a dedicated or revocable key if possible, avoid submitting private or sensitive videos, and verify the GitHub repository before cloning it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly states that user-provided share links/share text and the API key are sent to a third-party remote service, yet it does not disclose privacy, retention, logging, or handling expectations. This creates a real data exposure risk because users may submit sensitive content or credentials without informed consent, and agent operators may unknowingly route private data off-platform.

External Transmission

Medium
Category
Data Exfiltration
Content
version: 1.0.0
description: 提取抖音视频语音并转成文字。使用场景:(1) 用户要求提取抖音/短视频文案字幕 (2) 用户提供抖音分享链接想转文字 (3) 用户想查询转写余额或历史。requires:
  binaries:
    - curl
sendsDataTo:
  - https://api.dycaption.cn
---
Confidence
90% confidence
Finding
curl sendsDataTo: - https://api.dycaption.cn --- # 抖音字幕提取 通过 `dy-caption` 服务把抖音视频里的语音转成文字。 > **注意**:本技能会将抖音分享链接 / 分享文案 与 API Key 发送到 dy-caption 服务,请确认你信任该服务后再使用。 ## 认证 调用接口前需要先准备 API Key: ```b

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 提交转写任务
curl -X POST https://api.dycaption.cn/api/v1/transcribe \
  -H "X-API-Key: $DY_CAPTION_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"input":"7.53 复制打开抖音,看看【示例】 https://v.douyin.com/xxxx/"}'
Confidence
92% confidence
Finding
https://api.dycaption.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
-d '{"input":"7.53 复制打开抖音,看看【示例】 https://v.douyin.com/xxxx/"}'

# 查询余额
curl -X GET https://api.dycaption.cn/api/v1/credits \
  -H "X-API-Key: $DY_CAPTION_API_KEY"

# 查询历史
Confidence
88% confidence
Finding
https://api.dycaption.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "X-API-Key: $DY_CAPTION_API_KEY"

# 查询历史
curl -X GET https://api.dycaption.cn/api/v1/history \
  -H "X-API-Key: $DY_CAPTION_API_KEY"
```
Confidence
88% confidence
Finding
https://api.dycaption.cn/

VirusTotal

36/36 vendors flagged this skill as clean.

View on VirusTotal