Skillv1.0.0

ClawScan security

抖音学习流水线 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 14, 2026, 8:18 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what its name says (download/transcribe/transform Douyin content) but its manifest omits required credentials and it contains instructions that auto-install software, request sensitive cookies/API keys, and fetch remote configs — these mismatches and external network actions warrant caution.
Guidance: This skill contains a full Douyin downloader and related scripts and will ask for and store sensitive data (Douyin cookies, SiliconFlow API key, optionally Feishu/OPENAI tokens), auto-install Python packages and system tools, and fetch remote configuration/endpoint data. Before installing: 1) Verify the source / GitHub repo and publisher (the package has no homepage listed). 2) Do not supply full account cookies to untrusted code — prefer limited tokens or ephemeral credentials. 3) Run the skill in an isolated environment (VM/container) if you will allow automatic installs or execution. 4) Inspect scripts referenced by SKILL.md (scripts/check_env.sh, download_douyin.sh, transcribe.sh, setup_config.py) before running them, and decline automatic apt/brew sudo installs if unsure. 5) If you must use it, limit network access (or monitor outgoing connections) and consider sandboxing; restrict any Feishu tokens or other document tokens to least privilege. The primary red flags are the manifest/metadata mismatch about required secrets and the skill's ability to fetch remote configs and perform privileged installs — these make it reasonable to treat the package as potentially risky until you verify its origin and code.
Findings: [base64-block] unexpected: The pre-scan flagged a 'base64-block' prompt-injection pattern in SKILL.md. The visible SKILL.md does not obviously contain executable base64 payloads, so this may be a false positive or an embedded comment. Still, any prompt-injection flags in runtime instructions are worth extra scrutiny because they indicate the packaged instructions attempted to include an unusual block that could influence agent behavior.

Review Dimensions

Purpose & Capability: concernThe skill's code and SKILL.md implement a full Douyin downloader + transcription + postprocessing pipeline — that matches the name/description. However the registry metadata claims no required env vars or credentials while SKILL.md and the bundled code clearly require a SiliconFlow API key, Douyin cookies (msToken, ttwid, odin_tt, passport_csrf_token, sid_guard) and optionally document tokens (Feishu/OPENAI). The omission of these required secrets from the declared metadata is an inconsistency that reduces transparency.
Instruction Scope: concernRuntime instructions direct the agent to run environment checks and to auto-install missing dependencies (pip, apt, brew), to clone/execute downloader code, to ask the user for secrets (SiliconFlow API key and Douyin cookies) and to write local config and cookie files. It also calls external services (SiliconFlow API, optional mssdk endpoints via ms_token_manager using a remote conf URL, and could write to Feishu if configured). Asking for full account cookies and performing network calls are within the downloader's purpose, but the broad, automatic install-and-fetch behavior and the mismatch with declared requirements are scope and privacy concerns.
Install Mechanism: noteThere is no formal install spec in the registry (instruction-only), but the package includes many code files and helper scripts. The SKILL.md instructs pip installs and system package installs (apt/brew) and may clone an external GitHub repo (https://github.com/jiji262/douyin-downloader.git). Cloning a public GitHub repo and pip/apt/brew installs are expected for this tooling, but they add risk because arbitrary code will be placed on disk and executed; the ms_token_manager also fetches remote YAML from raw.githubusercontent.com and may POST to a configured mssdk endpoint. This is moderate risk but not automatically malicious.
Credentials: concernThe skill requests sensitive credentials in its instructions (SiliconFlow API key, Douyin cookie values, optional Feishu token, possibly OPENAI_API_KEY for transcription) but the registry metadata declares no required environment variables or primary credential. Requesting Douyin cookies is functionally required for no-watermark downloads and some msToken flows, but the absence of these requirements in the manifest is an incoherence. Users should treat provided cookies and API keys as high-value secrets.
Persistence & Privilege: noteThe skill does not request persistent 'always' inclusion and does not claim to modify other skills. It will write local files (local/config.json, .cookies.json, download_manifest.jsonl, dy_downloader.db) and may run package managers requiring elevated privileges (apt/brew) if the environment is missing system dependencies — the auto-install behavior can perform privileged actions after user confirmation, which is a notable privilege-related surface but not an explicit persistent elevation of platform privileges.