社媒数据助手抖音 MCP | Douyin MCP

Security checks across malware telemetry and agentic risk

Overview

This plugin is a disclosed read-only Douyin research connector to a hosted MCP service, with privacy and dependency hygiene caveats but no artifact-backed malicious behavior.

Install only if you are comfortable sending Douyin search terms, profile or video URLs, IDs, and related lookup data to the SocialDataX hosted endpoint using your API key. Avoid submitting sensitive research queries, and prefer a release with clearer privacy terms and pinned dependencies for stricter environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The manifest explicitly configures a hosted external MCP endpoint and API-key authentication, but it does not disclose that user prompts, lookup terms, URLs, or retrieved Douyin-related data may be sent to a third-party service. This creates a transparency and privacy risk because users may unknowingly transmit sensitive research interests or account identifiers off-platform.

Unpinned Dependencies

Low

Category: Supply Chain
Content: } }, "dependencies": { "@modelcontextprotocol/sdk": "^1.29.0" }, "files": [ "openclaw.plugin.json",
Confidence: 90% confidence
Finding: "@modelcontextprotocol/sdk": "^1.29.0"

VirusTotal

58/58 vendors flagged this plugin as clean.

View on VirusTotal