Douyin Video Analyst
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: douyin-video-analyst Version: 1.0.1 The skill bundle contains instructions and Python scripts in SKILL.md and troubleshooting.md that programmatically read sensitive configuration files (~/.cursor/mcp.json and ~/.claude.json) to extract API keys and environment variables. While this is intended to verify the setup for the 'douyin-mcp' tool, the practice of reading and printing local credential files to the agent's context is a high-risk behavior that could lead to accidental exposure of secrets.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
API keys for SiliconFlow or Alibaba Bailian could be exposed in logs or chat context, enabling unauthorized usage or billing impact.
The setup examples store DOUYIN_API_KEY or DASHSCOPE_API_KEY inside cfg.env, so this troubleshooting command can print actual API key values into the agent/tool transcript.
print(f"Found in {path}:", json.dumps(cfg, indent=2, ensure_ascii=False))Do not print full MCP configs. Redact env values, show only key names or presence checks, and ask the user before reading local credential files.
The transcript extraction behavior depends on third-party package code that is not included in the reviewed skill artifacts.
The skill depends on globally installed mcporter and an external douyin-mcp server package; the v1.2.0+ setup uses the latest package name without a pinned version.
如未安装:`npm install -g mcporter` ... "command": "uvx", "args": ["douyin-mcp-server"]
Install only from trusted sources, prefer pinned versions, and review the MCP server package before giving it API keys.
Video URLs and related processing requests may be sent to external services during transcript extraction.
The workflow sends Douyin video links through an MCP server using a provider API key. This is aligned with transcription, but the data boundary depends on the external MCP server and provider.
DASHSCOPE_API_KEY="<key>" mcporter call douyin-mcp.extract_douyin_text \ share_link="https://www.douyin.com/video/<video_id>" 2>&1
Confirm the MCP server and API provider are acceptable for the videos being analyzed, and avoid using sensitive or private links unless the provider is trusted.