Skillv1.0.3

ClawScan security

douyin-video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 15, 2026, 8:17 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is mostly consistent with a Douyin downloader, but the code will fetch and save arbitrary network resources (follows redirects and uses extracted play_url) and writes files under the user's home — this creates SSRF/exfiltration and local-file risks that the README doesn't call out.
Guidance: This skill appears to implement a Douyin video downloader and mostly matches its description, but it will follow redirects and fetch whatever play_url it finds, then save a file under ~/.openclaw/workspace/douyin-downloads/douyin_last.mp4. Consider these precautions before installing: 1) Only run it in a restricted environment (sandbox or non-production account) because a malicious share URL could cause requests to internal services (SSRF) or arbitrary hosts. 2) Inspect and/or vendor the script locally rather than running unknown code directly. 3) Run as an unprivileged user and ensure network egress controls (block access to sensitive metadata or internal endpoints like 169.254.169.254). 4) Be aware it will overwrite the previous download and store files in your home directory; copy any video you want to keep. If you need higher assurance, ask the author for input validation (restrict hostnames, validate URL patterns) or add size/time limits on downloads.

Review Dimensions

Purpose & Capability: noteName/description, required binary (node), SKILL.md, and included script align with a Douyin downloader. Minor mismatch: SKILL.md claims 'no environment variables needed', but the script reads HOME to build a path (normal but not declared). Overall capability requested (network fetch + write) is expected for a downloader.
Instruction Scope: concernThe runtime instructions and script accept an arbitrary share URL and perform network requests (follow redirects) and then download the extracted play_url. There is no validation of hostname/URL, so a maliciously-crafted share page or redirect could cause the agent to request internal services (SSRF risk) or arbitrary external hosts. The script writes a fixed file under ~/.openclaw/workspace/douyin-downloads and deletes the previous file (no sandboxing or size limits).
Install Mechanism: okInstruction-only skill with no install spec; only requires node to run. No downloads or archive extraction during install, which is low-risk.
Credentials: noteThe skill requests no credentials or env vars. It does read process.env.HOME to construct paths (expected). No other sensitive environment access is requested. Proportional to purpose, but HOME usage should be noted in the README (it currently says '无需配置').
Persistence & Privilege: okalways:false and no special privileges or persistence. The skill writes files to the user's workspace directory but does not modify other skills or system-wide settings. Autonomous invocation is allowed by default (platform normal) — combine with the network concerns above when deciding to install.