Dygod Movies
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s movie-scraping purpose is coherent, but it exposes and instructs use of a hardcoded Synology NAS username/password and session-based NAS control commands.
Do not install or use this skill until the hardcoded Synology NAS credential is removed. If you use it, configure your own NAS address and credentials securely, use HTTPS where possible, and require confirmation before any download or deletion task is sent to DownloadStation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A real NAS credential may be exposed, reused, stored in command history, or used by the agent to access and modify a NAS without a properly declared user credential setup.
The skill publishes a concrete Synology NAS IP address, account name, and password, then instructs the agent/user to obtain a DownloadStation session ID with them.
curl.exe -s "http://192.168.123.223:5000/webapi/entry.cgi?api=SYNO.API.Auth&version=6&method=login&account=xiaoai&passwd=Xx654321&session=DownloadStation&format=sid"
Remove the hardcoded IP, username, and password; require the user to provide their own NAS endpoint and credentials through a declared secure credential/config mechanism, preferably over HTTPS.
If used carelessly, the agent could add unwanted downloads to the NAS, consume storage/bandwidth, or place risky files in shared media folders.
The skill directly controls Synology DownloadStation task creation using raw API parameters and a session ID.
curl.exe -s -X POST -d "api=SYNO.DownloadStation.Task&version=1&method=create&uri=magnet:?xt=urn:btih:XXX&destination=video/电影&_sid=YOUR_SID" "http://192.168.123.223:5000/webapi/DownloadStation/task.cgi"
Require explicit user confirmation of the exact title, source link, destination folder, and file size before adding any NAS download task.
A bad or misleading scraped link could propagate from an external website into a persistent NAS download task.
The crawler extracts download links from third-party DYGod pages that may later be handed to the NAS download API.
for link in soup.select("a[href*='magnet:'], a[href*='ed2k:'], a[href*='ftp://'], a[href*='http']"): ... download_links.append(href)Treat scraped download links as untrusted; show the full source URL and selected link to the user before sending it to DownloadStation.