warn
suspicious.destructive_delete_command
- Location
- README.md:179
- Finding
- Documentation contains a destructive delete command without an explicit confirmation gate.
Douyin Video Forge
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.destructive_delete_command
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
You have less external provenance to verify where the skill came from.
Why it was flagged
The package includes helper scripts but does not provide upstream provenance or a registry install specification, so users should review the bundled files before running manual setup.
Skill content
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Recommendation
Install from a trusted registry context, review install.sh and scripts before running them, and prefer pinned/known dependency sources where possible.
What this means
The agent may download online videos and process media locally, which can consume disk, network, and compute resources.
Why it was flagged
The skill instructs the agent to run local media tools on video links and files as part of the analysis workflow.
Skill content
yt-dlp --no-warnings -f best --no-playlist -o "$TMPDIR/%(id)s.%(ext)s" "<视频链接>" ... ffmpeg -i "<视频路径>" -vn ...
Recommendation
Use it only with intended video links/files, review commands before execution, and avoid feeding private media unless you want it processed.
What this means
If configured, the skill can use your Kling account and may incur provider costs for video generation.
Why it was flagged
The Kling helper uses environment-provided API credentials to authenticate to the video-generation provider.
Skill content
access_key = os.environ.get("KLING_ACCESS_KEY") ... secret_key = os.environ.get("KLING_SECRET_KEY") ... return {"Authorization": f"Bearer {token}"Recommendation
Use limited-scope provider keys if available, monitor billing/usage, and do not paste secrets into chat.
What this means
Campaign details, prompts, and reference-image URLs may leave your local environment and be processed by Kling.
Why it was flagged
Video prompts and image URLs are sent to the external Kling API when automatic generation is used.
Skill content
BASE_URL = "https://api.klingai.com" ... "prompt": args.prompt ... "image": args.image
Recommendation
Avoid confidential customer material unless your agreement with the provider permits it, and review generated prompts before API submission.
What this means
If scheduling is enabled elsewhere, the skill could continue browsing, downloading, and generating videos on a recurring basis.
Why it was flagged
The workflow describes recurring scheduled execution for daily data collection and content production, though the provided install script does not create a cron job.
Skill content
触发:首日运营确认策略后直接执行;后续由 Cron 自动触发。
Recommendation
Require explicit opt-in for any scheduler, set a clear end date and generation limits, and verify how to disable the task before enabling it.