Douyin Hot Trend 1
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to fetch public Douyin trending data as described, with ordinary outbound network use and optional local storage/reporting to be aware of.
This looks safe to install if you want a Douyin hot-list fetcher. Make sure Node.js is available, expect outbound requests to Douyin, avoid excessive polling, and be cautious with generated HTML reports until fetched content is properly escaped.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill sends requests to Douyin and exposes normal network metadata such as IP address and user-agent.
The script makes an outbound request to Douyin's public hot-search endpoint using browser-like headers. This is purpose-aligned and disclosed, but users should know it contacts Douyin and may trigger rate limits.
hostname: 'www.douyin.com',
path: '/aweme/v1/hot/search/list/',
...
'User-Agent': getRandomUserAgent()Use it only when you intend to query Douyin, and avoid frequent automated polling unless you understand Douyin's rate limits and terms.
The skill may fail or require manual setup if Node.js is not already installed.
The package declares Node.js as required, and SKILL.md uses node commands, while the registry requirements list no required binaries. This is an under-declared runtime prerequisite, not evidence of malicious behavior.
"openclaw": {
"requires": {
"bins": ["node"]
}
}Declare Node.js consistently in registry metadata and installation requirements.
A generated report could display or execute untrusted content if the data source were malicious or compromised.
The optional HTML report renders fetched trend titles and links via innerHTML. If upstream data contained HTML or script-like content, opening the generated report could render unintended active content.
const items = {json.dumps(items, ensure_ascii=False)};
...
<div class="item-title">${item.title}</div>
...
container.innerHTML = html;Escape HTML, validate links, or build report entries with textContent/setAttribute instead of innerHTML.
Fetched trend history can remain on disk after use.
Optional helper scripts persist fetched hot-list entries and logs in a local SQLite database. The stored data appears to be public Douyin trend data, not user secrets.
DB_PATH = Path(__file__).parent.parent / "data" / "douyin.db" ... INSERT INTO hot_items
Treat data/douyin.db and generated reports as local artifacts to delete if you do not want trend history retained.