Skillv1.0.0

ClawScan security

lgCapture · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 25, 2026, 9:53 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (downloading Douyin videos via Playwright) and do not request unrelated credentials or perform unexpected actions.
Guidance: This skill appears coherent and does what it says: load Douyin pages in a headless Chromium browser and download videos to /tmp. Before installing or running: (1) ensure you install Playwright and its browser binaries from the official source so you know what is being downloaded; (2) run the scripts in an isolated environment (container or VM) if you are concerned about network activity or handling untrusted links; (3) be aware of copyright/ToS implications for downloading content; (4) review or run the included code locally — it does not exfiltrate secrets or require credentials, but it will fetch remote content and save files to disk.

Review Dimensions

Purpose & Capability: okName/description (fetch Douyin videos) align with the included Python scripts: both douyin.py and download.py parse Douyin links, use Playwright to load pages as an iPhone, extract video URLs and download them. No unrelated services, credentials, or binaries are requested.
Instruction Scope: okSKILL.md describes the same steps implemented in the code (extract video ID, simulate iPhone via Playwright, read video.src or observe network responses, download and save). The code only accesses network resources required to fetch the page and video (douyin domains and related CDNs) and writes output to /tmp; it does not read local secrets, other files, or send data to unexpected endpoints.
Install Mechanism: noteThis is instruction‑plus-code with no install spec. SKILL.md declares dependencies (playwright, chromium) but the package does not install them automatically. Installing Playwright separately will typically download a Chromium binary; that external download is normal but worth noting since it pulls code onto disk outside the skill bundle.
Credentials: okThe skill requires no environment variables, no credentials, and no config paths. The code uses standard libraries (requests, playwright) and only connects to Douyin/CDN URLs — so requested permissions are proportionate to the stated function.
Persistence & Privilege: okSkill is user-invocable, not always-enabled. It does not modify other skills or system-wide configuration. Runtime behavior writes downloaded video files to /tmp (transient) and does not request persistent system privileges.