Douyin To Obsidian
WarnAudited by ClawScan on May 13, 2026.
Overview
The Douyin-to-Obsidian workflow is mostly coherent, but the package ships a real Groq API key and prefilled config, which users should review before use.
Before installing, delete the bundled config.json secret, use your own Groq API key, confirm the Obsidian vault/folder are yours, and install the required browser/ffmpeg/Obsidian tools only from trusted sources.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may unknowingly run transcription through a bundled third-party API key, and the exposed key could be abused or stop working.
The shipped config contains a concrete Groq API key instead of a placeholder, while the registry declares no primary credential or required environment variables.
"groqApiKey": "gsk_AiO8zS...33rDKupQb"
Remove the bundled key, rotate/revoke it, declare the credential requirement, and require each user to provide their own Groq API key through a secure configuration path.
This can open web pages, download media to /tmp, call local tools, and create notes in the user’s Obsidian vault.
The skill instructs the agent to use browser automation, shell commands, media conversion, and Obsidian mutation commands.
agent-browser open "<用户发的抖音链接>" ... curl ... ffmpeg ... obsidian vault="<vault名>" create
Only invoke it on links you intend to process, review the configured vault/folder, and avoid letting it run against untrusted or unexpected URLs.
Users must separately trust and install external tooling for the workflow to work.
The skill relies on external tools and suggests installing an unpinned global npm package, while the registry lists no install spec or required binaries.
agent-browser 未安装 | `npm install -g agent-browser`
Document and pin required dependencies where possible, and install them only from trusted sources.
The selected Douyin audio is sent to an external provider for transcription, which is expected for this feature but affects data handling.
The workflow uploads the extracted audio file to Groq’s transcription API.
curl -s https://api.groq.com/openai/v1/audio/transcriptions ... -F file="@/tmp/douyin_audio.mp3"
Use this only for content you are comfortable sending to Groq, and make the external data transfer clear to users.