Fast Douyin Publish
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may unnecessarily store credentials for services outside the stated Douyin purpose, widening the account-access surface.
The skill is described as a Douyin QR-login publisher, but the shipped config enables multiple unrelated services and includes username/password fields for them.
"wechat_channels": { "enabled": true, "username": "", "password": "" }, ... "youtube": { "enabled": true, "username": "", "password": "" }Do not fill unrelated password fields; remove or disable non-Douyin account entries unless the skill clearly documents and scopes support for those platforms.
Anyone who can read the saved cookie/session file may be able to act as the logged-in Douyin account.
The skill stores Douyin session state locally so it can keep publishing without repeated QR login; this is expected but sensitive account authority.
`config/cookies/douyin.json` - 登录状态 ... Cookie 保存在本地,注意保密
Use the skill only on a trusted machine, protect the config/cookies directory, and delete saved cookies when you no longer need persistent login.
Running the command can publish content to a real Douyin account, potentially with generated titles/tags and no separate final confirmation in the artifacts.
The script automates uploading and pressing the public publish button, including a force-click fallback; this is central to the skill but high-impact.
file_input.set_input_files(video_path) ... publish_btn.click() ... publish_btn.click(force=True)
Only run it when you intend to publish immediately; review the video, generated title, and tags before invoking the script.
Users must trust the package installation path and may not see the dependency requirement from metadata alone.
The documented setup requires installing a Python package and browser runtime, but the registry metadata declares no required binaries or install spec.
pip install playwright playwright install chromium
Install dependencies from trusted sources, consider pinning versions, and ensure the metadata accurately declares Playwright/Chromium requirements.