critical
suspicious.env_credential_access
- Location
- index.js:135
- Finding
- Environment variable access combined with network send.
douyin push video
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A mistaken or unintended file/title could be posted publicly to the user's Douyin account.
Why it was flagged
The code defaults posts to public visibility and the command-line workflow can publish with only a video path and optional title, with no built-in final approval or privacy prompt.
Skill content
@param {number} [opts.private_status] - 0 全部可见, 1 自见, 2 好友可见 ... private_status = 0 ... // CLI:node index.js <视频路径> [标题]Recommendation
Require an explicit final confirmation showing account, file path, title, and visibility before calling the publish API; consider defaulting to private visibility or adding a dry-run mode.
What this means
Anyone or any process that can read the .env file may obtain credentials that can publish to the Douyin account until revoked or expired.
Why it was flagged
The skill stores account publishing credentials persistently and reuses them for future Douyin posting.
Skill content
将用户提供的 openId 和 accessToken 写入项目根目录的 .env ... 会一直保留,之后发抖音会优先用这份配置。
Recommendation
Store tokens only when necessary, keep .env out of source control, restrict file permissions, rotate or revoke tokens after use, and declare these credential requirements in metadata.
What this means
The chosen video file leaves the local machine and is sent to Douyin; choosing the wrong path could upload unintended content.
Why it was flagged
The selected local video file and OAuth token are sent to Douyin's API endpoint, which is expected for the stated integration.
Skill content
const BASE = 'https://open.douyin.com'; ... form.append('video', createReadStream(absPath) ... headers: { 'access-token': accessToken, ...form.getHeaders() }Recommendation
Verify the file path and destination before upload, and avoid using broad or sensitive file paths unless the user explicitly selected them.
Findings (3)
critical
suspicious.env_credential_access
- Location
- scripts/get-douyin-token.js:37
- Finding
- Environment variable access combined with network send.
critical
suspicious.exposed_secret_literal
- Location
- index.js:136
- Finding
- File appears to expose a hardcoded API secret or token.