桃噗噗回复助手
AdvisoryAudited by VirusTotal on Apr 2, 2026.
Overview
Type: OpenClaw Skill Name: recall-tao Version: 1.0.1 The 'recall-tao' skill bundle is a legitimate and well-structured automation tool for managing Douyin (TikTok China) creator accounts. It utilizes Playwright for browser automation, implementing features like comment monitoring, keyword-based filtering, and AI-integrated replies (supporting DeepSeek, OpenAI, and Claude). The scripts (e.g., browser_manager.js, rate_limiter.js, and persistence_manager.js) are modular and focused on operational stability, rate limiting, and session persistence. No evidence of data exfiltration, malicious prompt injection, or unauthorized remote execution was found; all high-risk browser and file system operations are consistent with the stated purpose of the tool.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A commenter could try to manipulate the AI into generating an inappropriate or off-brand public reply from the user's Douyin account.
External Douyin comment text is inserted directly into an AI prompt for generating a reply, and the visible prompt does not instruct the model to treat the comment only as untrusted data.
other: `用户评论:"${comment}"\n请生成一个积极、大方、热情的回复。回复要自然亲切,不超过100字。`Add prompt-injection defenses, treat comments strictly as quoted data, restrict replies to safe templates for risky cases, and require human review before posting AI-generated replies.
A bad rule, model error, or hostile comment could cause many unwanted public replies and may affect the user's account reputation or platform standing.
The skill is designed to monitor many videos and automatically post replies, which is public account mutation at scale; the visible artifacts do not show per-reply user confirmation.
多视频批量监控 | 同时监控多个视频的评论 ... 自动添加监控 | 自动添加有评论的视频到监控列表 ... 自动回复 - 生成积极、大方、热情、合法的回复
Default to review-before-send, require an explicit target list, provide clear stop/pause controls, cap daily activity conservatively, and log every action for user audit.
The account may be exposed to platform enforcement risk, and disabling browser sandboxing can increase local risk if a browsed page is compromised.
The browser is launched with automation-hiding flags and sandbox-disabling flags, which goes beyond ordinary browser automation and can weaken local browser isolation.
args: [ '--disable-blink-features=AutomationControlled', '--disable-infobars', '--no-sandbox', '--disable-setuid-sandbox' ]
Avoid stealth/anti-detection flags and sandbox disabling unless absolutely necessary and explicitly approved; prefer official platform APIs or documented integration methods.
Anyone or any process that can read or reuse that saved state may be able to act as the logged-in Douyin account, and the skill can continue acting without another login.
The skill saves browser authentication/session state to a local file so it can keep using a logged-in Douyin account.
userDataDir: path.join(process.env.LOCALAPPDATA || process.env.TEMP, 'douyin-automation-browser') ... await state.context.storageState({ path: savePath });Clearly disclose session storage, protect the auth-state file, allow easy deletion/logout, scope the browser context only to Douyin, and declare this credential/session handling in metadata.
After the user starts monitoring, the automation may continue or recover from failures and keep replying unless the user clearly stops it.
The browser manager is designed to keep the session alive and automatically restart after disconnects while running.
keepAlive: { enabled: true, intervalMs: 60000 ... } ... if (state.isRunning) { console.log('[BrowserManager] 尝试自动重启...'); await restartBrowser(); }Provide explicit stop, timeout, and status controls; require renewed user consent after restarts or long idle periods; and make persistence opt-in.
Local state may reveal which videos are monitored and which comments were processed, and stale state could influence future automated replies.
The skill persists monitor targets and processed-comment state locally, which is expected for incremental monitoring but should be visible to users.
fs.writeFileSync(MONITOR_TARGETS_PATH, JSON.stringify({ updatedAt: new Date().toISOString(), targets: this.targets }, null, 2), 'utf8'); ... fs.writeFileSync(PROCESSED_PATH, JSON.stringify({ updatedAt: new Date().toISOString(), processed: this.processedComments }, null, 2), 'utf8');Document the stored files, offer cleanup/export controls, avoid storing unnecessary comment content, and separate state per account.
Users may install an unpinned dependency manually or encounter unclear setup behavior.
The code depends on Playwright, but the provided install metadata says there is no install spec and no required binaries, so dependency installation and version pinning are not clearly declared.
chromium = require('playwright').chromium; ... throw new Error('playwright 未安装,请先安装: npm install playwright');Declare Playwright as a dependency with pinned versions and installation steps, and avoid ad-hoc manual package installation guidance.