ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

抖音文案解析

v0.1.1

Call the coze-js-api Douyin transcription endpoint and return transcript-ready results from Douyin URLs or share-text. Use this skill whenever the user asks...

0· 196·0 current·0 all-time
bykyris wu@kyriswu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, SKILL.md, and the included script all align: the skill calls a Douyin transcription endpoint and needs to send {url, api_key}. Required binaries (bash, curl, python3) are reasonable for this task. However, the registry metadata lists no required environment variables while runtime instructions and the script require DOUYIN_TRANSCRIBE_API_KEY — this mismatch is unexpected and should be corrected.
Instruction Scope
SKILL.md narrowly describes extracting a URL from share text, reading the API key from DOUYIN_TRANSCRIBE_API_KEY, and executing the bundled scripts/transcribe_douyin.sh which POSTs JSON to the declared endpoint. The instructions do not ask the agent to read unrelated files, system secrets, or other env vars; the network call is limited to the stated API endpoint.
Install Mechanism
No install spec — instruction-only with a small bundled script. Nothing is downloaded from arbitrary URLs and no archives are extracted. This is low-risk from an install mechanism perspective.
!
Credentials
At runtime the skill expects a secret DOUYIN_TRANSCRIBE_API_KEY; that is proportionate to its purpose. But the registry metadata does not declare this required env var, which is an inconsistency. Additionally, the included evals/examples show prompts containing an API key value (e.g., 'dddd'), which may encourage users to paste secrets into chat rather than using the environment variable; that raises an information-exposure risk.
Persistence & Privilege
always is false and the skill does not request persistent or system-wide privileges. It does not modify other skills or system configs. Autonomous invocation is allowed (platform default) but not combined with any elevated privileges in this skill.
What to consider before installing
This skill appears to do what it says (POST {url, api_key} to the declared transcribe endpoint) and uses only bash/curl/python3 and the bundled script. Before installing, verify these points: (1) Confirm the DOUYIN_TRANSCRIBE_API_KEY requirement is documented in the registry metadata — the current metadata omits it; (2) Do not paste your real API key into chat prompts or example fields — set DOUYIN_TRANSCRIBE_API_KEY in your environment instead; (3) Confirm you trust the endpoint domain (https://coze-js-api.devtool.uk) and that you obtained the API key from a legitimate source; (4) If you need to audit network calls, run the script locally with a test key first and inspect the request/response; (5) If the registry owner or homepage are unknown, consider contacting the owner or using an alternative with clearer provenance. These inconsistencies are likely sloppy configuration rather than malicious, but they warrant caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk9729r781dcz3kg2rmf29z888s82vj68

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsbash, curl, python3

Comments