Douyin Title Generator V2

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This looks like a simple Douyin title generator, but its PowerShell wrapper can turn crafted title inputs into local command execution.

Review before installing. Prefer running the Python script directly, or require the publisher to replace Invoke-Expression with structured PowerShell argument passing before use. Do not pass untrusted or pasted text into generate.ps1.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script builds a command string from user-controlled parameters like Topic, Style, Audience, and Trending, then executes it with Invoke-Expression. In PowerShell this creates a command injection risk, because crafted input containing quotes or PowerShell metacharacters can break out of the intended Python arguments and execute arbitrary commands on the host.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Executing a constructed command via Invoke-Expression without clear warning compounds the command injection issue at this line. The skill context makes this more dangerous because a simple title generator has no legitimate need for dynamic shell evaluation, so unexpected command execution would be outside user expectations and could lead to arbitrary local actions.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal