ClawHub

Douyin Upload

Security checks across malware telemetry and agentic risk

Overview

This skill clearly aims to auto-publish Douyin articles, but it can post to a live account by default and uses an unsafe shell command path with user-influenced filenames.

Install only if you intentionally want an agent to generate content and publish to a linked Douyin account. Use --skip-publish or a manual review workflow first, inspect the generated article and image, avoid sensitive prompts, and treat logs as potentially sensitive. The publisher should replace shell=True with argument-list execution, narrow triggers to explicit Douyin publishing requests, and add a required publish confirmation or dry-run default.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            # 执行命令
            result = subprocess.run(
                command,
                shell=True,
                capture_output=True,
Confidence
99% confidence
Finding
result = subprocess.run( command, shell=True, capture_output=True, text=True, timeout=300 # 5分钟超时

Tainted flow: 'image_url' from requests.post (line 129, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
image_url = data["data"][0]["url"]
                
                # 下载并保存图片
                image_data = requests.get(image_url).content
                return self.save_generated_image(image_data, prompt)
            else:
                print(f"DALL-E API错误: {response.status_code}, {response.text}")
Confidence
89% confidence
Finding
image_data = requests.get(image_url).content

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The function constructs a generic shell command string from multiple variables and then executes it, giving the skill broader execution capability than necessary for simple article publishing. In an agent-skill context, unnecessary shell expressiveness increases the attack surface because inputs and config become indirect command parameters.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The activation criteria are broad enough to trigger on generic writing, content creation, or social-media requests, not just explicit Douyin publishing tasks. In context, this increases the risk that the skill is invoked unexpectedly and proceeds toward generating files or posting content for a live external platform when the user did not clearly intend that workflow.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description and examples emphasize automatic publishing to Douyin but do not require a clear pre-publish confirmation before posting to a live linked account. This is particularly risky because the skill generates content automatically, so an incorrect, harmful, or unintended article could be published externally without an explicit user checkpoint.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly promotes one-click automatic publishing to Douyin but does not clearly warn users that running the skill can perform external, account-affecting actions. This creates a real safety issue because users may invoke the tool expecting local content generation while unintentionally posting to a live social media account, causing reputational, compliance, or account-management harm.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to configure an OpenAI API key for content generation but does not disclose that user-supplied topics or content may be sent to an external AI provider. This is a genuine privacy and data-handling issue because users may unknowingly transmit sensitive prompts, business topics, or unpublished campaign material to a third-party service.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples show automated publishing to Douyin and API-backed content generation, but they do not warn users that article content, prompts, and account actions may be sent to external services and may trigger live posting. In a publishing skill, omission of these warnings increases the chance of unintentional data disclosure or unintended account-impacting actions.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The log examples encourage viewing raw publish outputs and API responses, but do not caution that these logs may contain sensitive metadata, account information, request IDs, or provider responses. Users may store, share, or expose these logs without realizing they can contain sensitive operational data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow can trigger a real external publish action to Douyin as part of normal processing without any explicit confirmation, dry-run default, or strong warning at the point of execution. In an agent/automation context, this increases the risk of unintended publication of AI-generated content, accidental account misuse, or reputational harm if the theme is unsafe, incorrect, or user intent was ambiguous.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script's example path triggers a real publish operation without an explicit confirmation gate, dry-run mode, or safety prompt. In an automation/agent context, that increases the chance of unintended external actions, accidental posting, or abuse if the skill is invoked in the wrong environment.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 注意:PIL是必需的,其他依赖根据配置而定

# 基础依赖(必需)
PIL>=9.0.0

# 可选依赖
requests>=2.31.0
Confidence
87% confidence
Finding
PIL>=9.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
PIL>=9.0.0

# 可选依赖
requests>=2.31.0

# 开发依赖
pytest>=7.0.0
Confidence
93% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0

# 开发依赖
pytest>=7.0.0
Confidence
80% confidence
Finding
pytest>=7.0.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
requests

Known Vulnerable Dependency: pytest — 1 advisory(ies): CVE-2025-71176 (pytest has vulnerable tmpdir handling)

Low
Category
Supply Chain
Confidence
72% confidence
Finding
pytest

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal