Back to skill
Skillv1.2.0
ClawScan security
TikTok Video Downloader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 18, 2026, 3:10 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill largely does what it says (calls savefbs.com to fetch download links) but contains inconsistencies and surprising behavior — misleading privacy claims, local usage tracking, and a hard-coded crypto payment link — so review before installing.
- Guidance
- This skill does what it claims in that it calls savefbs.com to retrieve download links, but be aware of three issues before installing: (1) privacy claim mismatch — the script sends the TikTok URL to a third party (savefbs.com), so URLs are transmitted off your machine; (2) local tracking — it creates ~/.openclaw/skills/tiktok-video-downloader/usage.json to count daily downloads (stored locally, but still data about your usage); (3) monetization via a hard-coded crypto wallet/payment URL — the script will not enforce payments but points users to a cryptocurrency payment flow for ‘upgrades’. Consider whether you trust savefbs.com and the hard-coded payment link, avoid using private account URLs, review the included Python file yourself, and do not supply sensitive or private video URLs. If you need stronger guarantees, request removal of the hard-coded payment address, explicit documentation of what is sent to the remote API, or change the workflow so the agent downloads content locally without posting URLs to an external service.
Review Dimensions
- Purpose & Capability
- concernThe skill's stated purpose (download TikTok videos via savefbs.com) matches the included script which posts the provided TikTok URL to savefbs.com and returns download links. However, the SKILL.md asserts 'No data collection' and 'Video URLs are processed server-side and not logged' which is misleading: the script transmits the user-provided URL to an external API (necessarily exposing it to the third party). The inclusion of a hard-coded crypto WALLET_ADDRESS and PAYMENT_URL for monetization is not required to fetch links and is an additional, unexpected element.
- Instruction Scope
- concernRuntime instructions direct the agent to execute the included Python script. The script performs network calls to savefbs.com (GET and POST) and may transmit the supplied TikTok URL to that external service. It also creates/writes a usage.json file under the user's home (~/.openclaw/skills/tiktok-video-downloader) to track daily counts and paid status. Those actions are within a downloader's scope, but the SKILL.md's privacy claims contradict the actual network transmission and local tracking.
- Install Mechanism
- okNo install spec; skill is instruction-plus-script only. No downloads, package installs, or extract steps are present in the manifest, reducing installation risk.
- Credentials
- noteThe skill requests no environment variables or external credentials (good). It does, however, write usage tracking to a folder in the user's home directory and contains a hard-coded crypto wallet/payment URL for monetization. The payment URL and wallet are not necessary to perform the core fetching operation and may surprise users.
- Persistence & Privilege
- okThe skill does not request always:true or elevated privileges and only writes its own usage file under a per-skill path (~/.openclaw/skills/...). It does not modify other skills or system-wide config.