Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Douyin Video Fetch
v1.0.0下载抖音视频到本地(无水印优先)。用于给后续视频分析/复刻提供原始素材,支持 URL 或 video_id 输入、批量列表输入与统一输出目录。
⭐ 9· 3.1k·40 current·40 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (download Douyin videos) align with the included script which uses Playwright and aiohttp to load pages, intercept network responses, extract media URLs, and save MP4s. However, the skill metadata claims no required binaries/env but the code requires Python packages (playwright, aiohttp) and a browser runtime — this mismatch is notable.
Instruction Scope
SKILL.md simply tells the agent to run the script with a URL/video_id or file; it does not request unrelated files or secrets. The script loads Douyin pages in a headless browser and executes/collects in-page JS/data (via page.evaluate and response interception), which means it will run remote site JavaScript in the agent environment — expected for scraping but a potential risk if you haven't reviewed the code fully.
Install Mechanism
There is no install spec. The script depends on Playwright (and its browser binaries) and aiohttp, but these are not declared. Playwright typically requires installing browser engines (or calling 'playwright install'); omission of installation/dependency guidance is an operational and security concern because users may run the script in environments without those safeguards or isolation.
Credentials
The skill declares no environment variables or credentials and the code does not appear to request unrelated secrets. Network access is required (to fetch pages/media) but that is proportional to the stated purpose.
Persistence & Privilege
The registry flags show always=false and the skill does not attempt to modify agent/global configuration. It runs on-demand and does not request persistent elevated privileges.
What to consider before installing
This skill appears to do what it claims (download Douyin videos) but you should not install/run it blindly. Before using: 1) Inspect the full script to ensure there are no hidden network sinks or data exfiltration paths (the provided file was truncated in the review). 2) Install and run in an isolated environment (sandbox or container) because it launches a headless browser and executes page JS. 3) Ensure required dependencies are installed (Python, playwright, aiohttp) and run 'playwright install' to get browser binaries. 4) Consider legal/ToS implications of scraping/downloading content. If you want higher confidence, request the full unobfuscated source and an explicit dependency/install instruction from the publisher.Like a lobster shell, security has layers — review code before you run it.
douyinvk97f7d3dpjps1vna1j8vh241ws81abh4downloadvk97f7d3dpjps1vna1j8vh241ws81abh4latestvk97f7d3dpjps1vna1j8vh241ws81abh4videovk97f7d3dpjps1vna1j8vh241ws81abh4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.