Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Grab Douyin - Video Downloader
v1.0.0Download Douyin (抖音) videos via the TikHub API — no login required. USE THIS SKILL whenever the user: - Shares a Douyin link (v.douyin.com, douyin.com, or an...
⭐ 0· 83·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and SKILL.md implement a Douyin downloader via the TikHub API (network calls, short-link resolution, and saving to ~/Downloads/douyin). That aligns with the name/description. However, the registry metadata lists no required env vars or config paths, while SKILL.md and the script require a TikHub API token stored at ~/.openclaw/config.json. This metadata/instruction mismatch is inconsistent and should have been declared.
Instruction Scope
SKILL.md instructs the agent to 'Always use this skill when you detect a Douyin URL' — giving the agent broad, automatic discretion to call the included script, perform network requests, and save files without explicit additional user consent. The runtime instructions also require reading ~/.openclaw/config.json for the token and performing HTTP requests to api.tikhub.io and the returned video URL; these actions are within purpose but the automatic-invoke directive is broad.
Install Mechanism
There is no install spec (instruction-only + included Python script), so nothing is downloaded at install time. The script depends on Python and the 'requests' package (not declared in metadata). This approach has low install risk but assumes the runtime has Python and requests available.
Credentials
The script legitimately needs a TikHub API token, but that credential is expected in a config file (~/.openclaw/config.json) rather than an env var; the skill registry metadata did not declare this required config path or credential. Reading a user-home config file is a sensitive action and the missing declaration is an incoherence the user should be aware of.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide settings. However, because SKILL.md tells the agent to always use this skill when a Douyin URL is seen, the autonomous-invocation default could lead to automatic downloads; consider requiring user confirmation before downloads if you want to limit that behavior.
What to consider before installing
What to check before installing: (1) The SKILL.md and script expect a TikHub API token stored at ~/.openclaw/config.json — this was not declared in the skill metadata; verify you are comfortable storing a token there and that the file contains only that token. (2) The skill will make outbound HTTP requests to api.tikhub.io and to Douyin video URLs and will save files to your filesystem (default ~/Downloads/douyin). (3) SKILL.md instructs the agent to 'always' use this skill when it detects a Douyin URL, which can cause automatic network activity and file writes; if you prefer explicit consent, disable autonomous invocation or require confirmation. (4) Source is unknown — if you rely on trust, ask the publisher for provenance or audit the code yourself (the included Python script is short and readable). (5) Ensure your environment has Python3 and the requests library or sandbox the skill if you want to limit potential misuse.Like a lobster shell, security has layers — review code before you run it.
chinesevk9752mtfyxjyj74gnwgjhqpepx83bb4adouyinvk9752mtfyxjyj74gnwgjhqpepx83bb4adownloadvk9752mtfyxjyj74gnwgjhqpepx83bb4agrabvk9752mtfyxjyj74gnwgjhqpepx83bb4alatestvk9752mtfyxjyj74gnwgjhqpepx83bb4atikhubvk9752mtfyxjyj74gnwgjhqpepx83bb4atiktokvk9752mtfyxjyj74gnwgjhqpepx83bb4avideovk9752mtfyxjyj74gnwgjhqpepx83bb4a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.