Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Fast Douyin Publish
v1.0.0抖音视频自动发布助手。一键上传视频到抖音,支持自动文案生成和标签优化。
⭐ 2· 440·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description advertise a Douyin uploader and the included script implements browser automation for that purpose. However the bundled config (config/accounts.json) lists multiple platforms (wechat_channels, xiaohongshu, bilibili, youtube) even though README/SKILL.md focus only on Douyin. The extra platform entries are not clearly documented in SKILL.md and may indicate broader functionality than advertised.
Instruction Scope
SKILL.md instructs running the included Python script with Playwright; the runtime instructions are narrowly scoped to logging in (QR code), uploading, and saving cookies locally. The script (visible portion) uses Playwright to navigate and interact with creator.douyin.com and stores cookies and account config under a local config/ directory. This is expected behavior for automation but it does mean sensitive data (cookies, optional username/password fields) will be created/stored on disk. The SKILL.md does not instruct transmitting these to external endpoints, and the visible code does not show any obvious exfiltration, but part of the script is truncated in the provided file listing (so full behavior is not confirmed).
Install Mechanism
No formal install spec; skill is instruction + code file. SKILL.md tells user to pip install playwright and run 'playwright install chromium', which will download browser binaries from Playwright's distribution endpoints. That is typical but does perform network downloads of large binaries. No other installers or remote download URLs are present in the manifest.
Credentials
The skill requests no environment variables or external credentials via requires.env, which is proportional. However it writes local account and cookie files (config/accounts.json and config/cookies/*.json) that may contain sensitive session tokens/credentials. The presence of other platforms in accounts.json expands the surface for stored credentials beyond the declared Douyin purpose and is not explained.
Persistence & Privilege
The skill is not force-included (always:false) and does not request elevated system privileges. It persistently stores configuration and cookies under a local config/ directory (normal for this kind of tool) but does not appear to modify other skills or global agent settings.
What to consider before installing
This skill implements browser automation and will create local files that can contain sensitive session cookies and account fields. Before running: (1) Review the full scripts/auto_publisher.py file (the provided file listing was truncated) for any network calls, hardcoded endpoints, or commands that send data off-host (search for requests, urllib, socket, fetch, subprocess, os.system, or any HTTP endpoints). (2) Note config/accounts.json includes other platforms—if you won't use them, consider removing those entries. (3) Run the tool in an isolated environment (VM or disposable container) and avoid using a machine with other active web sessions. (4) Back up and inspect any existing config/cookies files and ensure you trust the source before scanning QR codes or storing long-lived cookies. (5) Because the package has no homepage and an unknown author, prefer to audit the entire script (especially the truncated tail) or only run after manual review. If you want, provide the full scripts/auto_publisher.py content and I can review the remaining lines for suspicious behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk97601tz1gc8mafjbkjkczmdxd82pqr0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.