抖音评论分析
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: douyin-sentiment-dashboard Version: 1.0.0 The skill provides a legitimate-looking sentiment analysis service for Douyin videos via the third-party domain ai-skills.ai. However, the 'one-click' bash script provided in SKILL.md contains a shell injection vulnerability; it embeds the user-provided $LINK variable directly into a curl command string without sanitization. While there is no clear evidence of malicious intent or data theft, this flaw allows for potential remote code execution if the agent or a user executes the example script with a maliciously crafted URL.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The API key may consume the user's quota or grant access to their ai-skills.ai account usage for this service.
The skill requires an API key and explicitly says it will be sent to ai-skills.ai for authenticated steps.
requiredEnvVars:\n - name: AISKILLS_API_KEY ... Step 2/3 接口调用时会将 API Key 发送至 ai-skills.ai 服务器。
Use a revocable, least-privileged API key if available, monitor usage, and revoke it if the service is no longer needed.
The external service will learn the video link being analyzed and handle the resulting analysis request.
The skill discloses that user-provided Douyin video links and authentication data are sent to an external service.
security:\n thirdPartyDomain: ai-skills.ai\n dataSent:\n - "skillId(技能标识符)"\n - "params(技能参数,含用户提供的视频链接,Step 2/3 需认证)"\n - "X-API-Key(认证密钥,仅 Step 2/3 发送)"
Only analyze links you are comfortable sharing with ai-skills.ai, and review that service's privacy and data-retention policies before use.