Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
抖音视频解析下载(KK定制版)
v1.0.0抖音视频解析下载工具。从分享链接提取无水印下载地址,支持下载+转文字+内容分析。
⭐ 0· 36·0 current·0 all-time
bykk.Tang@kk-kingkong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (Douyin video download + transcription) aligns with using ffmpeg, whisper, curl and a local 'douyin-analyzer' module. However the declared required directory is a hard-coded, user-specific path (/Users/kk/.openclaw/mcp-servers/douyin-analyzer) rather than a generic location (e.g. ~/.openclaw), which is unusual for a published skill and suggests it was tailored to one developer's machine. The SKILL.md references mcporter, Python imports, curl and Playwright but the declared required binaries list only includes 'ffmpeg' and 'whisper' — missing entries (curl, python, mcporter, playwright/node) are incoherent with the instructions.
Instruction Scope
The runtime instructions tell the agent to modify sys.path and import server code from the specified local directory and/or call local MCP endpoints. That causes execution of arbitrary code present in the user's ~/.openclaw/mcp-servers/douyin-analyzer directory — a significant execution surface. The instructions also call external parsing APIs (liuxingw.com) and official Douyin endpoints; sending video URLs and video content to third parties could leak data. Writing temp files to /tmp is documented (expected), but the combination of importing local code and making network calls broadens risk.
Install Mechanism
This is an instruction-only skill with no install spec (lowest install risk). The metadata contains an 'install' entry saying the MCP is installed in ~/.openclaw/mcp-servers/douyin-analyzer, but the requires.dirs uses an absolute /Users/kk/... path — inconsistent and likely a packaging oversight. No downloads or archive extracts are requested by the skill itself.
Credentials
The skill declares no required environment variables or credentials, which is proportionate. However the instructions direct the agent to call external endpoints (official Douyin APIs and a third-party liuxingw.com parser). That means video URLs, and potentially downloaded media, could be transmitted to external services. The skill does not warn about what the third-party parser does with submitted data.
Persistence & Privilege
The skill does not request always:true and is not force-enabled. It does not ask to modify other skill configs or system-wide settings. Autonomous invocation remains possible (platform default), which combined with the other concerns increases risk, but the skill itself does not request elevated persistence.
What to consider before installing
This skill appears to be a personalized 'KK' wrapper that expects a local douyin-analyzer installation at a hard-coded path and will import and execute code from that path. Before installing or enabling it: 1) Do not enable it unless you trust the code in ~/.openclaw/mcp-servers/douyin-analyzer — importing that module runs arbitrary local Python. 2) If you plan to use it, change the path references to your own verified installation path and verify the contents of server.py (DouyinParser/AudioProcessor). 3) Ensure required tools (curl, python, mcporter, ffmpeg, whisper, and Playwright/node if you intend to use the browser fallback) are present; the metadata is missing some of these. 4) Be aware third-party parsing endpoints (liuxingw.com) will receive requests — avoid sending private/credentialed links or sensitive content to them. 5) If you don’t have a trusted local 'douyin-analyzer' installation, prefer a skill that bundles its own vetted code or one from a known upstream; otherwise run this in a sandboxed environment. 6) If you want a lower-risk setup, restrict the skill to only use official APIs and local binaries you control, and remove any automatic import/exec of user-path code.Like a lobster shell, security has layers — review code before you run it.
latestvk973qs35kwwgeg0mcp6nc8ny6d83z2fn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
Binsffmpeg, whisper