Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Douyin Reverse Engineer
v2.0.0从抖音视频反推AI绘画提示词和分镜脚本。当用户提到反推提示词、视频反推、抖音分析、分镜反推、游戏改写、视频转提示词时触发。
⭐ 0· 91·1 current·1 all-time
byClair@clair-001
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (reverse-engineer Douyin videos into AI prompts/storyboards) aligns with the code: it downloads videos and calls a video-analyzer that uses Volcengine ARK. Required environment variable ARK_API_KEY is appropriate for that. However, the code references a 'douyin-downloader' skill (skills/douyin-downloader/...) while the SKILL.md and _meta.json list dependencies only as doubao-video-analyzer and video-downloader — that mismatch (and minor path variations like 'script' vs 'scripts') is an incoherence that may cause runtime failures or indicate sloppy packaging.
Instruction Scope
The runtime instructions and code explicitly upload the user's video to Volcengine (parse_video.py does client.files.create and submits frames to an Ark model). That means user video content will be transmitted to a third-party service (Volcengine) under the provided ARK_API_KEY. The SKILL.md does call out ARK_API_KEY, but the code-level description and docstrings confirm the upload behavior — this is expected for the skill's function but carries privacy/third‑party exposure risk. Also the code invokes other local skill scripts (douyin-downloader, video-downloader, doubao-video-analyzer); SKILL.md instructs installing two of these but not the douyin-specific downloader the code imports.
Install Mechanism
There is no remote download/install spec in the package itself (no arbitrary URL downloads or extract operations). The skill is delivered as code plus SKILL.md and relies on other skills installed via 'npx clawhub install ...' (which is an expected, lower-risk install path).
Credentials
Only ARK_API_KEY is declared as a required env var and is the primary credential — that is consistent with a skill that calls Volcengine ARK. The SKILL.md also expects system tools (python, ffmpeg, yt-dlp) provided by other skills; those are plausible. Still, the ARK API key is sensitive because it authorizes uploading and processing of content — ensure you trust the endpoint and rotate/revoke the key if needed.
Persistence & Privilege
The skill is not 'always: true' and is user-invocable. It does not request persistent privileges or claim to modify other skills' configs. It runs as a user-invoked script and does not appear to self-enable or persist settings beyond normal file outputs.
What to consider before installing
Before installing or running this skill: (1) Be aware it will upload videos to Volcengine (ARK) using your ARK_API_KEY — do not use sensitive/proprietary video unless you accept that exposure. (2) The package's manifest and README do not fully match the code: the script imports a 'douyin-downloader' skill that is not listed in _meta.json or the SKILL.md install instructions — you may need to install that separately or the script will fail. (3) Review the other skills (doubao-video-analyzer, video-downloader, and any douyin downloader) that this skill calls; they will run network I/O and may require additional tools (yt-dlp, ffmpeg). (4) Consider testing with a non-sensitive local video first and run in a sandboxed environment; keep the ARK_API_KEY scoped/rotated and revoke it if you don't trust the service or after testing. (5) If you need higher assurance, request the missing/unclear packaging details from the author or inspect the other referenced skill code (douyin-downloader, doubao-video-analyzer) before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97e9rckbagjxpnr9my3s5n7js84jb1r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
Binspython
EnvARK_API_KEY
Primary envARK_API_KEY