ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MCBAI Douyin Dubber

v1.0.4

Auto-dub Douyin/TikTok videos into any language using a fully local pipeline: download with Playwright Chromium + Douyin cookie → transcribe with Whisper → t...

0· 54·0 current·0 all-time
byMCB AI@mcbaivn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the actual behavior: Playwright+cookie to download Douyin videos, Whisper for transcription, optional TTS providers, and FFmpeg to mix/burn subtitles. Declared binaries (python, ffmpeg) and Python packages (playwright, openai-whisper) are appropriate for the pipeline.
Instruction Scope
SKILL.md instructs the agent to read a Douyin cookie file, install Playwright/Whisper, run the provided Python script, and optionally call external TTS services. The instructions do not request unrelated files or extra credentials. The cookie export steps are sensitive but explicitly documented and warned about.
Install Mechanism
This is an instruction-only skill (no install spec). It ships a Python script that writes a temporary Playwright capture script at runtime and runs subprocesses; this is expected for a local downloader/transcoding tool. No remote archive downloads or obscure install URLs are used, lowering install risk.
Credentials
The only required sensitive item is the Douyin session cookie file (declared in metadata and required). That is proportionate to downloading content that requires authentication but is high‑risk if you supply a primary/personal account cookie. ElevenLabs API key is optional and justified for that provider. No unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true or other elevated persistent privileges. It only runs locally when invoked and does not modify other skills or system-wide agent settings.
Assessment
This skill appears to do what it says, but it requires a Douyin session cookie file which effectively grants access to your Douyin account. Only use a throwaway/test account as the author recommends, store the cookie file locally (do not commit it to version control), and rotate/revoke the cookie after use. Review the included scripts yourself or run the skill inside an isolated environment (container or VM) if you have any doubt. If you plan to use cloud TTS (ElevenLabs), provide a scoped key and monitor usage. If you want higher assurance, paste the full script into a quick review (or run it in a sandbox) to confirm there are no hidden network calls beyond expected TTS/CDN accesses.

Like a lobster shell, security has layers — review code before you run it.

douyinvk97e616gpn535qtqrfwc4djzzx84nc9zdubbingvk97e616gpn535qtqrfwc4djzzx84nc9zffmpegvk97e616gpn535qtqrfwc4djzzx84nc9zlatestvk97e616gpn535qtqrfwc4djzzx84nc9zmcbaivk97e616gpn535qtqrfwc4djzzx84nc9ztiktokvk97e616gpn535qtqrfwc4djzzx84nc9zttsvk97e616gpn535qtqrfwc4djzzx84nc9zvietnamesevk97e616gpn535qtqrfwc4djzzx84nc9zwhispervk97e616gpn535qtqrfwc4djzzx84nc9z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsffmpeg, python

Comments