Douyin Hot Trend 1
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: douyin-hot-trend-1 Version: 1.0.3 The skill bundle is a Douyin trending data aggregator that fetches, stores, and visualizes hot list data. It is classified as suspicious due to a SQL injection vulnerability in scripts/db.py and scripts/query.py, where the 'days' parameter is inserted into SQL queries using string formatting (.format()) instead of safe parameterization. While the current entry-point scripts attempt to sanitize this input by casting it to an integer, the underlying database logic remains inherently vulnerable. The bundle also performs external network requests to Douyin's API and uses subprocess.run in scripts/save_to_db.py to bridge Node.js and Python execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill sends requests to Douyin and exposes normal network metadata such as IP address and user-agent.
The script makes an outbound request to Douyin's public hot-search endpoint using browser-like headers. This is purpose-aligned and disclosed, but users should know it contacts Douyin and may trigger rate limits.
hostname: 'www.douyin.com',
path: '/aweme/v1/hot/search/list/',
...
'User-Agent': getRandomUserAgent()Use it only when you intend to query Douyin, and avoid frequent automated polling unless you understand Douyin's rate limits and terms.
The skill may fail or require manual setup if Node.js is not already installed.
The package declares Node.js as required, and SKILL.md uses node commands, while the registry requirements list no required binaries. This is an under-declared runtime prerequisite, not evidence of malicious behavior.
"openclaw": {
"requires": {
"bins": ["node"]
}
}Declare Node.js consistently in registry metadata and installation requirements.
A generated report could display or execute untrusted content if the data source were malicious or compromised.
The optional HTML report renders fetched trend titles and links via innerHTML. If upstream data contained HTML or script-like content, opening the generated report could render unintended active content.
const items = {json.dumps(items, ensure_ascii=False)};
...
<div class="item-title">${item.title}</div>
...
container.innerHTML = html;Escape HTML, validate links, or build report entries with textContent/setAttribute instead of innerHTML.
Fetched trend history can remain on disk after use.
Optional helper scripts persist fetched hot-list entries and logs in a local SQLite database. The stored data appears to be public Douyin trend data, not user secrets.
DB_PATH = Path(__file__).parent.parent / "data" / "douyin.db" ... INSERT INTO hot_items
Treat data/douyin.db and generated reports as local artifacts to delete if you do not want trend history retained.