douyin push video
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: douyin-push-video Version: 1.0.0 The skill facilitates Douyin video uploads but contains a potential arbitrary file read vulnerability in index.js, as the uploadVideo function accepts and reads unvalidated file paths. Additionally, SKILL.md and scripts/get-douyin-token.js instruct the agent to write sensitive OAuth credentials (openId and accessToken) directly into a local .env file. While these capabilities are aligned with the stated purpose of automating social media posts, the lack of path sanitization and the handling of secrets in plain text pose a security risk if the agent is manipulated.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unintended file/title could be posted publicly to the user's Douyin account.
The code defaults posts to public visibility and the command-line workflow can publish with only a video path and optional title, with no built-in final approval or privacy prompt.
@param {number} [opts.private_status] - 0 全部可见, 1 自见, 2 好友可见 ... private_status = 0 ... // CLI:node index.js <视频路径> [标题]Require an explicit final confirmation showing account, file path, title, and visibility before calling the publish API; consider defaulting to private visibility or adding a dry-run mode.
Anyone or any process that can read the .env file may obtain credentials that can publish to the Douyin account until revoked or expired.
The skill stores account publishing credentials persistently and reuses them for future Douyin posting.
将用户提供的 openId 和 accessToken 写入项目根目录的 .env ... 会一直保留,之后发抖音会优先用这份配置。
Store tokens only when necessary, keep .env out of source control, restrict file permissions, rotate or revoke tokens after use, and declare these credential requirements in metadata.
The chosen video file leaves the local machine and is sent to Douyin; choosing the wrong path could upload unintended content.
The selected local video file and OAuth token are sent to Douyin's API endpoint, which is expected for the stated integration.
const BASE = 'https://open.douyin.com'; ... form.append('video', createReadStream(absPath) ... headers: { 'access-token': accessToken, ...form.getHeaders() }Verify the file path and destination before upload, and avoid using broad or sensitive file paths unless the user explicitly selected them.