抖音学习流水线
ReviewAudited by ClawScan on May 10, 2026.
Overview
This Douyin workflow is purpose-aligned, but it asks for account cookies/API keys and can run automatic install/clone/setup commands that are not declared in its registry metadata.
Install only after reviewing the setup scripts and downloader code. Do not allow automatic pip/apt/brew installs or unpinned GitHub cloning unless you approve them. Use temporary or least-privilege API keys/cookies, protect or delete local credential files, and confirm before sending media/transcripts to external providers or writing to Feishu.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may run local shell commands and change your Python or system package environment.
The skill tells the agent to run a shell script on every relevant task and install dependencies when missing, which is high-impact command execution for an instruction-only skill.
每次收到抖音相关任务,先执行环境自检: ... `bash scripts/check_env.sh` ... 缺安装:自动尝试安装(Python包用pip,系统包用apt/brew)
Review the setup scripts before use and require explicit approval for pip, apt, or brew actions.
The code actually run may differ from the reviewed bundle if the remote repository changes.
The workflow can fetch a mutable external repository without a pinned commit or tag if the local downloader is considered missing.
如果未部署,自动克隆: ```bash git clone https://github.com/jiji262/douyin-downloader.git ```
Use the bundled reviewed code or pin any clone to a specific commit/tag and ask the user before fetching external code.
A third-party remote config change could alter where the tool sends token-generation requests.
Visible code fetches mutable remote configuration from GitHub and then uses that configuration to choose a network endpoint for token generation.
F2_CONF_URL = "https://raw.githubusercontent.com/Johnserf-Seed/f2/main/f2/conf/conf.yaml" ... request = urllib.request.Request(conf["url"],
Pin or vendor the needed token configuration, validate allowed endpoints, and disclose this network dependency to users.
These credentials can enable paid API use, logged-in Douyin access such as favorites, and document writes if mishandled.
The skill asks for provider keys, live Douyin session cookies, and optionally a Feishu document token, despite the registry declaring no primary credential.
请提供 SiliconFlow API Key ... 请提供抖音 Cookie(msToken, ttwid, odin_tt, passport_csrf_token, sid_guard) ... 请提供飞书文档链接或token
Use least-privilege or temporary credentials, avoid pasting broad session cookies unless necessary, and confirm exactly where tokens are stored and sent.
Anyone with access to the local files could potentially read stored Douyin cookies.
Douyin cookies are saved to a local JSON file for reuse; this is operationally useful but persists sensitive session material.
def __init__(self, cookie_file: str = ".cookies.json") ... json.dump(self.cookies, f, ensure_ascii=False, indent=2)
Protect the working directory, remove .cookies.json when finished, and avoid sharing the project folder with credentials inside.
Downloaded audio/video-derived content may be sent to SiliconFlow or related model providers for transcription or polishing.
The transcription workflow is disclosed as using an external provider API; this is purpose-aligned, but it is an external data flow.
默认 ASR:`TeleAI/TeleSpeechASR` ... `scripts/transcribe.sh` ... 自动调用 SiliconFlow API
Do not process private or sensitive media unless you accept the provider’s data handling terms.