Skillv1.0.0

ClawScan security

🎵 抖音下载器 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 8:55 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are coherent with its stated purpose: it parses Douyin links, uses Playwright/HTTP requests to find video URLs, and downloads files to the user's filesystem; it does not request unexpected credentials or contact unknown third‑party endpoints.
Guidance: What to consider before installing: - This skill will download and save files to your machine (default ~/Videos/douyin) and may create a debug screenshot (debug-screenshot.png) and JSON metadata files next to downloaded videos. - It requires Node.js and Playwright; installing Playwright downloads browser binaries (large, network activity). The package.json declares these dependencies but the platform won't auto-install them — you'll need to run npm install and npx playwright install chromium as described. - Playwright runs a real browser and executes site JS when extracting video URLs; that is necessary for dynamic pages but means remote script can run in the headless browser context (normal for scraping, not an exfiltration mechanism in this code). If you are concerned about privacy or security, run the skill in a sandboxed environment or inspect network activity during first runs. - The skill contacts Douyin/iesdouyin APIs and pages only (no hidden or third‑party exfil endpoints found). Still obey Douyin/TikTok terms and copyright law — avoid bulk scraping or commercial use. If you want additional assurance: review package.json and node modules before installing, run npm install in an isolated environment, and verify that no unexpected outbound connections occur during test runs.

Review Dimensions

Purpose & Capability: okName/description match the code: parser, optional Playwright extraction, and downloader implement link parsing, batch downloads, metadata saving and automatic naming. No unrelated credentials, binaries, or services are requested.
Instruction Scope: okSKILL.md instructs exactly the actions implemented in code (npm install, optionally install Playwright browsers, configure save dir). The runtime instructions do not ask the agent to read unrelated files or exfiltrate secrets. The code writes screenshots/metadata and video files locally, which aligns with the described features.
Install Mechanism: noteThere is no platform install spec (skill is instruction-only), but source includes a package.json that depends on playwright and other npm packages — installing them requires running npm and downloading Playwright browser binaries. This is expected for the stated functionality but is a heavier install step (downloads sizable browser binaries) and must be done manually or by the operator.
Credentials: okThe skill requests no environment variables or credentials. It uses process.env.HOME/USERPROFILE only to determine a default save directory — this is proportionate to the purpose.
Persistence & Privilege: okalways is false, no elevated privileges requested, and the skill does not modify other skills or system-wide agent configuration. It writes files only to a user-designated directory and creates a debug screenshot in the working directory.