douyin-hot

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public Douyin hot-search data and saves the result locally, with no evidence of hidden credential access or unrelated behavior.

Install only if you are comfortable with the skill contacting Douyin and saving a local JSON copy of the public hot-search results in your workspace scripts directory. Delete douyin-hot-clean.json if you do not want the saved result retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The skill discloses network scraping behavior but does not clearly warn users that scraped results are persisted to a workspace file. Silent local writes can create privacy, retention, and workspace hygiene issues, especially in shared or automated environments where users may not expect data to be stored beyond the immediate response.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal