Skillv1.0.0

ClawScan security

Douyin Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 1, 2026, 4:35 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are consistent with a transcript analysis helper; nothing requests unrelated credentials or external installs, though a bundled optional script reads a local config file which you should review before running.
Guidance: This skill appears coherent for transcript analysis. Two practical actions before installing or running it: 1) Inspect scripts/analyzer.py (provided) yourself — it is a local, non-networked text-processing helper but it reads ~/.openclaw/skills/douyin-config.json (and a fallback). Confirm those config files are safe and do not contain secrets you don't want accessed. 2) If you only want LLM-only behavior, you can avoid executing the bundled script; the SKILL.md states the agent performs the high-quality analysis directly. If you plan to run the script locally, run it in a restricted environment and review the remainder of the file (the provided listing was truncated) to ensure there are no unexpected operations.

Review Dimensions

Purpose & Capability: noteName and description (semantic segmentation, keypoint extraction, summarization) match the SKILL.md and the included analyzer.py which implements basic cleaning, segmentation, extraction and prompt generation. Minor inconsistency: SKILL.md says the agent performs analysis and does not require scripts, yet a helper script (scripts/analyzer.py) is bundled as an optional fallback (the README states it's currently unused). This is plausible but worth noting.
Instruction Scope: okSKILL.md instructs the LLM to operate on Whisper transcripts and defines specific, constrained processing steps and an output format. It does not tell the agent to read unrelated files, call external endpoints, or exfiltrate data. The script is referenced only as a fallback and is not mandated by the instructions.
Install Mechanism: okNo install spec is provided (instruction-only skill) and no external downloads or package installs are required. Lowest-risk install posture.
Credentials: noteThe skill declares no required env vars or credentials. The bundled script does attempt to load a config from the user's home (~/.openclaw/skills/douyin-config.json and fallback ~/.openclaw/config.json) when executed; reading a local skill config is reasonable but you should review those config files before running the script to confirm they do not contain sensitive values you don't want accessed.
Persistence & Privilege: okThe skill does not request permanent/always-on installation and does not modify other skills or system-wide settings. Autonomous model invocation is allowed (default) but the skill's scope is limited to text analysis.