DoubaoChatObtain

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it extracts Doubao chat text through browser automation and saves it locally, with no evidence of hidden exfiltration or destructive behavior.

Install only if you are comfortable using agent-browser and saving Doubao conversation text on your machine. Treat the extracted files as potentially private, review the output path before running, and delete /tmp/doubao_raw.json and the generated text file when you no longer need them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill extracts full Doubao conversation text and saves it to local files without a clear warning that the content may contain private, personal, or regulated data. Because the skill is designed to obtain entire conversation threads, the context increases the sensitivity: silent persistence can expose confidential content to other local users, backups, logs, or later unintended reuse.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal