ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Douyin Video Download

v1.1.2

抖音视频批量下载工具。支持单视频、批量下载、自动去重、无水印下载,智能选择最优下载方式(yt-dlp/Playwright)。

1· 565·9 current·9 all-time
byxiaofei@franklu0819-lang
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, SKILL.md, and the code all align: the tool parses Douyin links (Playwright) and downloads video streams (curl/yt-dlp). However there's a minor metadata mismatch: the registry metadata listed no required binaries, while package.json's openclaw.requires lists 'node' and 'yt-dlp'. Asking for yt-dlp is reasonable for a downloader but the registry fields are inconsistent.
Instruction Scope
SKILL.md instructions are focused on installation (npm, Playwright) and usage (single / batch downloads). The instructions and code read local files (links.txt) and write downloaded videos to an output dir. They do not request unrelated system files or credentials. One mismatch: SKILL.md mentions an EXECUTABLE_PATH env variable option but code comments say '需修改代码支持' — the env var is not actually implemented.
Install Mechanism
This is instruction-plus-code (no platform install spec). Installation requires npm install (normal) and Playwright will download Chromium (noted in SKILL.md). SKILL.md recommends installing yt-dlp via a sudo curl into /usr/local/bin — the download host is GitHub releases (expected) but the suggested sudo curl command will write a binary as root; that elevates risk if you run it blindly. Overall install mechanism is typical but requires care when running the suggested privileged curl command and when Playwright downloads browser binaries.
Credentials
The skill does not require credentials or secrets. It uses dotenv and supports OUTPUT_DIR via env (used in code). No sensitive environment variables are requested. SKILL.md mentions EXECUTABLE_PATH but code does not read it — minor inconsistency. No unexplained credential access detected.
Persistence & Privilege
always is false, no special persistence or system-wide config changes are requested, and the skill does not try to modify other skills. It runs as a user-level CLI tool.
What to consider before installing
What to check before installing: - Verify the source: the skill's Source/Homepage are unknown; prefer code from a trusted repo. Review the included JS files yourself or run in an isolated VM/container. - npm install will pull dependencies (playwright-chromium among others) and Playwright will download a Chromium binary; expect a large download and network access. If you need to restrict downloads, pre-install browsers and avoid automatic downloads. - The README suggests installing yt-dlp with a sudo curl into /usr/local/bin. That command runs as root and places a binary on your system — only run it if you trust the binary (prefer package manager installs or inspect the downloaded file first). - SKILL.md claims '彻底杜绝命令注入' because it uses spawn; that reduces injection risk but is not an absolute guarantee. If you plan to feed untrusted input (e.g., untrusted links file), validate inputs and run in a sandbox. - Minor inconsistencies to be aware of: registry metadata said no required binaries but package.json lists node and yt-dlp; SKILL.md references EXECUTABLE_PATH but code does not use it. These suggest the packaging/metadata may be out of sync. Recommendation: treat this as a typical community downloader tool — reasonable but exercise standard caution: inspect the code, avoid running the sudo curl command blindly, and run first in an isolated environment if you have any doubts.
lib/downloader.js:34
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9791q98rp93cqavf4ttk635ch82zyex
565downloads
1stars
6versions
Updated 19h ago
v1.1.2
MIT-0
xiaofei@franklu0819-lang
latest
Download

抖音视频下载器 (安全加固版)

强大的抖音视频批量下载工具,支持无水印、1080P 高清下载。

功能特性

  • 安全加固: 使用 child_process.spawn 处理外部调用,彻底杜绝命令注入风险。
  • 高清无水印: 自动解析 1080P 直连,移除水印。
  • 稳定下载: 采用多后端自动切换技术(内置解析引擎 + 社区公认工具),确保高成功率。
  • 批量处理: 支持从文本文件读取链接批量下载。

安装

1. 安装依赖

# 进入技能目录
cd ~/.openclaw/workspace/skills/douyin-video-download

# 安装 Node.js 依赖
npm install

# 安装 Playwright Chromium 浏览器二进制文件 (仅需一次)
# 提示: 如果在受限网络环境下,请确保已配置好 npm 镜像
npx playwright install chromium

2. 安装外部工具 (可选但推荐)

  • yt-dlp: 提供最佳下载体验和更高的稳定性。
    • Linux/macOS: sudo curl -L https://github.com/yt-dlp/yt-dlp/releases/latest/download/yt-dlp -o /usr/local/bin/yt-dlp && sudo chmod a+rx /usr/local/bin/yt-dlp
    • Windows: 从 yt-dlp releases 下载 .exe 并添加到 PATH。

使用

单视频下载

# 使用分享链接
node scripts/download.js "https://v.douyin.com/xxxxx"

# 使用完整链接
node scripts/download.js "https://www.douyin.com/video/123456"

批量下载

# 从文件读取链接列表
node scripts/download.js --batch links.txt

# links.txt 格式(每行一个链接,支持 # 注释)
https://v.douyin.com/xxxxx
# 这是另一个视频
https://v.douyin.com/yyyyy

高级选项

# 指定输出目录
node scripts/download.js "https://v.douyin.com/xxxxx" --output ./videos

# 指定文件名
node scripts/download.js "https://v.douyin.com/xxxxx" --filename myvideo

# 并发下载数量 (批量模式)
node scripts/download.js --batch links.txt --concurrent 3

供应链与安全性说明

  • 浏览器二进制文件: Playwright 会下载 Chromium 浏览器。如果对安全性有极高要求,可以通过环境变量 EXECUTABLE_PATH 指定本地已安装的 Chrome 路径(需修改代码支持)。
  • npm 镜像: 如果您位于中国大陆,建议使用腾讯云或阿里云镜像以加速安装。
  • 隐私: 本工具仅访问抖音公开页面,不涉及用户登录信息。

作者

Leo & Neo (Startup Partners)

Comments

Loading comments...