ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Douyin Content Tracker Skill

v1.0.0

Scrapes Douyin creator videos, downloads audio (Playwright+ffmpeg with yt-dlp fallback), and transcribes with Whisper. Covers setup, daily tracking, cookie m...

0· 58·0 current·0 all-time
byyibo@gpttang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code matches the stated purpose (scraping Douyin, extracting audio, running Whisper). However the registry metadata claims no required env vars/binaries, while the SKILL.md and scripts require: MEDIACRAWLER_DIR (in .env), a valid .douyin_cookies.json (or ability to scan a QR), Playwright/browser, ffmpeg (or imageio-ffmpeg), and optionally yt-dlp. The omission of these required inputs in the declared metadata is an inconsistency users should notice.
!
Instruction Scope
Runtime instructions and code do more than just call Douyin endpoints: they ask users to copy cookies from a local WeChat container path (SKILL.md suggests cp from ~/Library/Containers/.../xwechat_files), the scripts load and use that .douyin_cookies.json, and scrape_profile.py injects cookies into MediaCrawler via the command line. scrape_profile.py also temporarily writes to MediaCrawler's config file (config/base_config.py) to change CRAWLER_MAX_NOTES_COUNT — i.e., the skill modifies files in an external repo. These behaviors go beyond simple API integration and involve local sensitive data and changing third-party project files.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but SKILL.md tells users to pip install requirements, pip/brew install yt-dlp, run 'python -m playwright install chromium', and to git clone https://github.com/NanmiCoder/MediaCrawler. Pulling and executing the upstream MediaCrawler code is expected for this skill, but it is an explicit external code dependency the user must fetch and run locally.
!
Credentials
The registry lists no required environment variables/credentials, yet the skill expects and uses .env values (MEDIACRAWLER_DIR, OUTPUT_BASE_DIR, WHISPER_MODEL) and a cookie file (.douyin_cookies.json). The skill's instructions advise copying cookies from a local WeChat container path (sensitive user data). Additionally, cookies are passed into a subprocess command line (MediaCrawler cmd includes --cookies '<cookie_str>') which can expose cookie content via process listings on some systems. These environment and credential demands are not proportionally declared.
!
Persistence & Privilege
The skill does not request 'always: true' and is not force-installed, but it writes persistent outputs under OUTPUT_BASE_DIR (data/, audio/, subtitles/, models/) — expected for this type of tool. The notable concern is that scrape_profile.py temporarily modifies MediaCrawler's config file (MEDIACRAWLER_DIR/config/base_config.py) and writes it back; modifying other software on disk is a privileged side-effect and should be acknowledged by users before running.
What to consider before installing
What to consider before installing/running this skill: - The skill will require you to clone and run a third-party project (NanmiCoder/MediaCrawler) and install Playwright, ffmpeg/imageio-ffmpeg, yt-dlp and openai-whisper; these are explicit but not reflected in the registry metadata — expect manual setup. - The pipeline needs a valid Douyin cookie file (.douyin_cookies.json). SKILL.md suggests copying it from WeChat's local container; that points to sensitive local data. Prefer exporting cookies manually rather than letting scripts grab files automatically. - The scraper will pass the cookie string on the MediaCrawler command line and will load cookies into Playwright contexts. Passing secrets on a command line can expose them to other local users via process listings; if this is a concern, run the skill in an isolated environment (VM/container) or modify the code to read cookies from a protected file only. - The skill temporarily edits MediaCrawler's config file (config/base_config.py) to change fetch counts and then restores it. If you don't trust the cloned MediaCrawler repo, audit it first — the skill will write to files outside its own directory. - Run in an isolated environment (dedicated user account, container, or VM) if you plan to provide real cookies or clone repositories. Review the code (scrape_profile.py, download_video.py, extract_subtitle.py) — key behaviors: reading/writing .douyin_cookies.json, calling subprocesses (MediaCrawler, ffmpeg, yt-dlp), writing outputs under ~/DouyinContentTracker by default, and downloading Whisper models into models/. - If you decide to run it: set restrictive permissions on the cookie file (chmod 600), avoid running as root, and consider manually exporting cookies and setting MEDIACRAWLER_DIR in .env rather than copying from other app containers. If you want tighter safety, run the pipeline but skip the MediaCrawler step and feed sanitized CSVs instead. - Missing info that would increase confidence: an explicit manifest of required env vars/binaries in the registry metadata, a signed or verified MediaCrawler source, and a mode that avoids command-line cookie exposure (e.g., pass cookies via a file or stdin).

Like a lobster shell, security has layers — review code before you run it.

latestvk979dx308eg5mvd1rxr2y3we2h83becm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments