一键收藏抖音B站视频到你的飞书多维表格
AdvisoryAudited by Static analysis on May 4, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this skill is invoked or mis-scoped, the agent has permission to run local JavaScript or delete local files even though that is not needed to save a video link.
The stated purpose only needs video-page fetching and a Feishu record write, but this grants unrelated local execution/deletion capabilities through node and rm.
allowed-tools: Bash(curl *), Bash(node *), Bash(date *), Bash(mkdir *), Bash(rm *), WebFetch, Skill
Remove Bash(node *), Bash(rm *), and other unused local command permissions; keep only narrowly scoped commands that are required for the workflow.
The skill may fail unless those tools are already installed, and users may be tempted to install similarly named tools without a trusted source or pinned version.
The workflow depends on external tools, but the provided metadata and install specs declare no required binaries or install mechanism.
dokobot read "<url>" --local --timeout 5000 ... lark-cli base +record-upsert
Declare dokobot and lark-cli as required dependencies, provide trusted installation sources and versions, and document the authentication model.
A wrong token, table ID, or over-privileged Feishu login could add or update records in the wrong workspace/table.
The skill writes records to a user-configured Feishu Base/Table, which is purpose-aligned but requires account or app authority through the Feishu CLI.
Base Token: 你的Base Token ... Table ID: 你的Table ID ... lark-cli base +record-upsert --base-token <YOUR_BASE_TOKEN> --table-id <YOUR_TABLE_ID>
Use a dedicated Feishu table or bot/app with the minimum needed permissions, verify the Base Token and Table ID, and avoid putting secrets in a shared skill file.
Saved video links and summaries may be visible to other people who can access the Feishu base.
The skill persists fetched video metadata and generated summaries into a Feishu table, which is expected but creates a reusable/shared record of the user's saved content.
"链接": "https://...", "UP主/博主": "UP主名", "内容总结": "内容概括...", "标签": ["想看"]
Review Feishu table sharing settings and avoid saving private or sensitive video links unless that workspace is appropriate.