Douyin Video Forge
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: douyin-video-forge Version: 0.1.0 The 'douyin-video-forge' skill bundle is a legitimate automation tool for creating short-form video content. It utilizes browser automation to scrape trends from Douyin, yt-dlp for video downloads, and the Kling AI API for video generation. The implementation follows security best practices by retrieving API keys from environment variables rather than user prompts, using structured subprocess calls to prevent shell injection in 'kling_api.py', and providing extensive documentation (PRD.md, CLAUDE.md) that aligns with the code's behavior. No evidence of data exfiltration, malicious prompt injection, or unauthorized persistence was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You have less external provenance to verify where the skill came from.
The package includes helper scripts but does not provide upstream provenance or a registry install specification, so users should review the bundled files before running manual setup.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Install from a trusted registry context, review install.sh and scripts before running them, and prefer pinned/known dependency sources where possible.
The agent may download online videos and process media locally, which can consume disk, network, and compute resources.
The skill instructs the agent to run local media tools on video links and files as part of the analysis workflow.
yt-dlp --no-warnings -f best --no-playlist -o "$TMPDIR/%(id)s.%(ext)s" "<视频链接>" ... ffmpeg -i "<视频路径>" -vn ...
Use it only with intended video links/files, review commands before execution, and avoid feeding private media unless you want it processed.
If configured, the skill can use your Kling account and may incur provider costs for video generation.
The Kling helper uses environment-provided API credentials to authenticate to the video-generation provider.
access_key = os.environ.get("KLING_ACCESS_KEY") ... secret_key = os.environ.get("KLING_SECRET_KEY") ... return {"Authorization": f"Bearer {token}"Use limited-scope provider keys if available, monitor billing/usage, and do not paste secrets into chat.
Campaign details, prompts, and reference-image URLs may leave your local environment and be processed by Kling.
Video prompts and image URLs are sent to the external Kling API when automatic generation is used.
BASE_URL = "https://api.klingai.com" ... "prompt": args.prompt ... "image": args.image
Avoid confidential customer material unless your agreement with the provider permits it, and review generated prompts before API submission.
If scheduling is enabled elsewhere, the skill could continue browsing, downloading, and generating videos on a recurring basis.
The workflow describes recurring scheduled execution for daily data collection and content production, though the provided install script does not create a cron job.
触发:首日运营确认策略后直接执行;后续由 Cron 自动触发。
Require explicit opt-in for any scheduler, set a clear end date and generation limits, and verify how to disable the task before enabling it.