Is gonghaiquan/douyin-publish safe?

https://github.com/openclaw/skills/tree/main/skills/gonghaiquan/douyin-publish

83
SAFE

The douyin-publish skill is a documentation-only artifact (SKILL.md + _meta.json) with no embedded executable code, no prompt injection, and a clean clone profile that only connects to GitHub. Its own content is low-risk. However, the skill depends on two entirely unaudited external components — an undocumented local Node.js MCP server and a PyPI package installed via 'uvx douyin-mcp-server' — which represent the primary unverifiable attack surface; the skill's true security posture cannot be fully assessed without auditing those components. Additionally, persistent Douyin session cookies stored on disk and Puppeteer browser automation create a high-value credential attack surface that a compromised MCP server could exploit.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 97/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (8)

MEDIUM Unaudited PyPI MCP Server Dependency (uvx douyin-mcp-server) -18

The skill instructs users to configure 'uvx douyin-mcp-server' as an MCP server. The 'uvx' command downloads and executes a Python package from PyPI. This package is outside the scope of this audit; it could contain credential-harvesting, exfiltration, or code-execution payloads that activate when the agent invokes Douyin-related tools.

MEDIUM Unverified Local Node.js MCP Server (douyin-mcp-server) -10

The primary required MCP server is a local Node.js binary at ~/douyin-mcp-server/mcp-server/dist/index.js. SKILL.md does not document where to obtain this server, making it impossible to audit. If a user is directed to a malicious repo to obtain it, the entire Douyin workflow becomes a code execution vector.

MEDIUM Sensitive Douyin Session Cookies Stored on Disk -15

The skill persists Douyin login cookies at ~/douyin-mcp-server/mcp-server/douyin-cookies.json. These cookies grant full Douyin account access. Any process or skill with filesystem read access could read and exfiltrate them. The unaudited MCP servers would have read access to this file by design.

LOW Unaudited MCP Server Could Exfiltrate Data -5

The unaudited 'uvx douyin-mcp-server' PyPI package and the undocumented local Node.js server have unrestricted access to the filesystem and network when running as MCP servers. Either could silently read local credentials or environment files and send them to attacker-controlled infrastructure.

LOW Hardcoded Author Home Directory Paths -12

SKILL.md includes file paths rooted at /home/gonghaiquan/ (the skill author's home directory) in usage examples and the 'File Locations' section. When injected into an agent's system prompt, these paths may cause the agent to reference the wrong user's directories, creating confusion or subtle misdirection.

LOW Pre-existing Ubuntu Telemetry Connections Active During Clone -8

TCP connections to Canonical/Ubuntu servers (91.189.91.49, 185.125.188.57, 185.125.188.59) were established before the clone. While these appear to be standard Ubuntu update/security channels, their presence during skill installation is noted. They did not persist after the audit session.

INFO Canary Files Read by Audit Framework (Not Skill) -3

Honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCloud application_default_credentials.json) were read-accessed at two points: immediately after monitoring started (1771932208, before clone) and after install completed (1771932231). No executable code in the skill can explain these accesses; timing and ordering are consistent with the audit framework's own pre-install baseline scan and post-install integrity verification. All files remain intact and unmodified.

LOW Browser Automation With Persistent Credentials Creates Hijack Surface -35

The skill's core mechanism (Puppeteer controlling Chrome with persisted cookies) gives the MCP server layer full browser-level access to the authenticated Douyin session. A malicious or compromised MCP server could use this to scrape account data, publish unauthorized content, impersonate the user, or pivot to other platforms via the browser. The skill itself is benign but activates this attack surface by design.