抖音自动回复助手
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent and not obviously malicious, but it asks for a full Douyin session cookie and is designed to run unattended actions on the user's Douyin account.
Install only if you are comfortable giving the tool a Douyin session cookie and letting it act on your account. Prefer a test or dedicated account, protect config.json and logs, set low limits, review keywords carefully, and understand Douyin platform-rule and account-ban risks.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A full session cookie can let the bot act as the user's Douyin account; if the file is exposed or the bot misbehaves, the account could post unwanted replies, send unwanted DMs, or face platform restrictions.
The skill asks users to copy a full Douyin browser session cookie into local configuration. This is high-impact account authority and is under-declared by the registry metadata, which lists no primary credential.
复制 cookie 字段的全部内容 ... python scripts/config_manager.py cookie "粘贴你刚才复制的 cookie"
Use official scoped OAuth/API credentials if available, declare the credential requirement, store secrets securely, warn users about plaintext config.json, and recommend a dedicated/test account rather than a main account.
Incorrect keywords or unexpected comments could trigger public replies or DMs at scale, potentially annoying users, damaging reputation, or triggering Douyin anti-spam/account controls.
The bot is designed to continuously process comments and send replies/private messages after the user starts it. It has delay and daily-limit controls, but no per-action confirmation or clearly bounded target scope.
while True: ... comments = self.get_comments() ... self.process_comment(comment) ... self.send_private_message(user_id, pm_message)
Add dry-run mode, per-message review options, clear video/account scoping, conservative defaults, and a visible stop/rollback procedure.
Users may treat the setup as safer than it is and paste a main-account cookie without protecting local files.
The privacy wording may cause users to underestimate the sensitivity of copying a full session cookie and creating local logs/config files, even though no external exfiltration is shown.
用户隐私:不收集用户个人信息;不存储聊天记录;本地运行,数据安全
Clarify exactly what is stored locally, where credentials/logs live, and what risks remain even without external data collection.
Someone with access to the skill directory could read account activity details or infer private-message targets/content.
The bot writes persistent local logs that can include user IDs and outgoing message content. No external sharing is shown, but the files may contain sensitive account-interaction data.
logging.FileHandler('douyin_bot.log') ... logger.info(f"发送私信给用户 {user_id}: {message}")Document log contents, avoid logging sensitive identifiers/messages by default, and provide log rotation/redaction/cleanup guidance.
Future installs may receive different dependency versions, which can affect reliability or security.
The dependency is unpinned. This is expected for a simple Python HTTP integration, but the exact installed version can vary over time.
requests>=2.28.0
Pin or constrain dependencies more tightly and provide a lockfile or verified install instructions.