ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

alexliutkdownload

v1.0.2

抖音无水印视频下载工具。当用户发送抖音视频链接时,自动解析并下载无水印版本,上传到云盘发给用户。 Use cases: - 用户发送抖音链接 - "下载这个视频" - "帮我保存抖音视频" - "解析抖音链接

0· 123·0 current·0 all-time
by@alexliu9921

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for alexliu9921/alexliutkdownload.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "alexliutkdownload" (alexliu9921/alexliutkdownload) from ClawHub.
Skill page: https://clawhub.ai/alexliu9921/alexliutkdownload
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install alexliutkdownload

ClawHub CLI

Package manager switcher

npx clawhub@latest install alexliutkdownload
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md match the stated purpose: parse a Douyin link, download a no-watermark MP4 to /tmp, then upload it to a cloud drive. However the skill assumes the presence of a local upload proxy (http://localhost:$PORT/proxy/qclaw-cos/upload) and a specific virtualenv and workspace path (~/.agent-reach-venv and ~/.qclaw/workspace/skills/...), none of which are declared in the skill metadata. That mismatch (undeclared local service and fixed paths) is unexpected and should be justified.
!
Instruction Scope
SKILL.md explicitly tells the agent to source a specific virtualenv, execute the bundled parse-douyin.py from a hard-coded path, write the downloaded file to /tmp, and then POST a JSON payload to a localhost proxy endpoint. The instructions reference an env var (AUTH_GATEWAY_PORT) and local HTTP proxy that are not declared. These instructions reach outside the skill bundle (local service, filesystem) and grant the skill the ability to cause the local proxy to read arbitrary local files — this is scope creep that should be declared and explained.
Install Mechanism
There is no external download/install spec; the included install.sh simply copies the .py and .md files into a workspace directory — low risk. requirements.txt contains a malformed line ('1 requests'), so there is no reliable declared dependency installation step; this is a packaging bug that may cause runtime failures but not evidence of malicious downloads.
!
Credentials
The skill metadata declares no required environment variables or credentials, yet SKILL.md uses AUTH_GATEWAY_PORT and relies on a local HTTP upload proxy. Because those runtime dependencies are not declared, the agent or user may be surprised by required local service access. The script itself does not request external credentials, but the unexplained local proxy may have its own authorization semantics — that should be disclosed.
Persistence & Privilege
The skill is user-invocable, not always-enabled, and does not request system-wide persistence. install.sh writes files into the skill workspace (~/.qclaw/...), which is normal for a skill. It does not modify other skills or system-wide configs.
What to consider before installing
Before installing, verify the following: (1) confirm you trust the local upload proxy the skill calls (http://localhost:$PORT/proxy/qclaw-cos/upload) — ask the skill author what that service is and what permissions it has; (2) confirm the environment assumptions (~/.agent-reach-venv, ~/.qclaw/workspace) match your agent runtime or adjust the SKILL.md to use relative/declared paths; (3) fix the malformed requirements.txt (it currently contains '1 requests') so dependencies can be installed as intended; (4) review parse-douyin.py to ensure it only downloads the expected video file (it does perform network fetches and writes to /tmp); (5) consider running the skill in a sandboxed environment if you are unsure about the local proxy behavior or retention of downloaded files. If the author can declare the required env var(s) and clarify the local upload service, that would reduce the concerns and could change the assessment to benign.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎵 Clawdis
latestvk97bjzz3cxs9jcgbaqd9hprm7583a9hf
123downloads
0stars
2versions
Updated 1mo ago
v1.0.2
MIT-0
@alexliu9921
latest
Download

抖音无水印视频下载 Skill

Trigger

当用户发送抖音视频链接时激活。

Workflow

用户发送抖音链接
  → Step 1: 调用 parse-douyin.py 解析视频
  → Step 2: 上传视频到云盘
  → Step 3: 返回下载链接给用户

Commands

Step 1: 解析并下载

source ~/.agent-reach-venv/bin/activate
python3 ~/.qclaw/workspace/skills/douyin-download/parse-douyin.py <抖音链接>

支持格式:

  • https://www.douyin.com/video/1234567890123456789
  • https://v.douyin.com/xxxxx?modal_id=1234567890123456789
  • 任意包含 19 位数字视频 ID 的链接

Step 2: 上传到云盘

PORT=${AUTH_GATEWAY_PORT:-19000}
curl -s -X POST http://localhost:$PORT/proxy/qclaw-cos/upload \
  -H 'Content-Type: application/json' \
  -d '{"localPath":"<视频路径>","conflictStrategy":"ask"}'

Step 3: 返回结果

直接输出云盘返回的 message 字段内容。

Example

User Input:

https://www.douyin.com/video/7611512807091178804

AI Actions:

  1. 执行解析脚本
  2. 上传到云盘
  3. 输出云盘返回的链接

Output:

✅ 视频已保存!

📎 douyin_7611512807091178804.mp4 (104.2 MB)
🔗 下载链接: https://jsonproxy.3g.qq.com/urlmapper/xxxxx

云端保留 30 天,请及时保存~

Notes

  • 视频保存在 /tmp/douyin_<video_id>.mp4
  • 云端保留 30 天后自动清理
  • 无需 Cookie,已验证可直接解析公开视频

Comments

Loading comments...