Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Douyin Hot Trend
v1.1.0获取抖音热榜/热搜榜数据,包含热门视频、挑战赛、音乐等多领域热门内容,并输出标题、热度值、跳转链接及封面图(如有)。
⭐ 23· 7.5k·81 current·83 all-time
byxiaofei@franklu0819-lang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description say 'fetch Douyin hot list' and the package contains Node scripts that perform HTTPS GET requests to www.douyin.com, parse results, format output and write local files—this is consistent with the stated purpose. package.json declares 'node' as a required binary which is appropriate.
Instruction Scope
SKILL.md instructs running the included node scripts (e.g., node scripts/douyin.js hot). The scripts only access Douyin's web endpoint, stdout and local files. One minor inconsistency: cron-job.js header/comment says it 'directly sends to Telegram', but the code only prepares a Markdown message, writes local files and outputs a JSON payload (it does not call Telegram APIs). A hardcoded chat_id appears in outputs, suggesting intended integration but no token/HTTP POST is present.
Install Mechanism
This is instruction+code only with no install spec or remote download. package.json and package-lock are minimal; no external packages are installed. Risk from installation is low because nothing is pulled from untrusted URLs.
Credentials
The skill requires no environment variables or credentials. It does contain a hardcoded Telegram chat_id in cron-job output and json outputs (a privacy/operational detail), but there are no secret tokens, API keys, or requests for unrelated credentials.
Persistence & Privilege
always is false and the skill does not try to modify other skills or system-wide agent settings. It writes debug/output files under its own directory, which is expected for these scripts.
Assessment
This skill appears to do what it says: it scrapes Douyin's public web endpoint and formats results. Before installing, consider: (1) you will need Node available to run it; (2) scraping may trigger rate-limiting or be subject to Douyin's terms of service—avoid high-frequency automated requests; (3) the cron-job prepares a Telegram message and includes a hardcoded chat_id but does not include a bot token or actually send messages—if you integrate automatic sending, you'll need to add credentials (be careful where you store them); (4) the scripts write output files into the skill directory—review and relocate or protect them if that matters. If you want the skill to push to Telegram automatically, inspect/add secure handling for the bot token rather than embedding it in plaintext.cron-job.js:16
Shell command execution detected (child_process).
scripts/get-hot-trend.js:16
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk979b9cm9cv0s98v6mjm6znxr182p5g7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.