Back to skill

Security audit

doubao-copywriter

Security checks across malware telemetry and agentic risk

Overview

This is a simple Doubao copywriting helper, but users should remember their prompts go to Doubao under a logged-in account.

Install only if you are comfortable using Doubao for the content you provide. Do not submit passwords, secrets, private business documents, personal data, or sensitive unpublished material. Prefer the manual local workflow if you do not want an agent interacting with a logged-in Doubao browser session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to interact with a third-party website while the user is logged in and to submit user-provided content there, but it does not warn about privacy, data retention, or the risks of exposing sensitive prompts to an external service. Because the workflow explicitly depends on an authenticated session and even asks for login via QR code, it increases the chance that private user data or account-linked activity is sent to a third party without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.