抖音热榜 / Douyin Hot

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill mostly matches its Douyin hot-list purpose, but its HTML report generator renders fetched external data as raw HTML, which could run unwanted page code if malicious data is included.

Install only if you need Douyin trend fetching and are comfortable contacting Douyin from your machine. Treat the optional generated HTML report as unsafe until titles and links are escaped/validated, and ensure Node/Python requirements are available despite incomplete registry metadata.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI05: Unexpected Code Execution

What this means

If Douyin data or stored rows contain crafted HTML, script, or unsafe URLs, opening the generated report could execute unwanted JavaScript or create unsafe links in the browser.

Why it was flagged

Fetched data from the local database is inserted into HTML attributes and body content, then assigned to innerHTML without sanitizing or escaping titles/links.

Skill content

items.append({'rank': row['rank'], 'title': row['title'], ... 'link': row['link'] or ''}) ... <a href="${item.link}" class="hot-item" target="_blank"> ... <div class="item-title">${item.title}</div> ... container.innerHTML = html;

Recommendation

Escape HTML text and validate URLs before rendering, or build DOM nodes with textContent/setAttribute and allow only https://www.douyin.com links.

Low

#ASI02: Tool Misuse and Exploitation

What this means

Running the skill contacts Douyin and may be affected by rate limits or service anti-bot controls, but no credential use or unrelated destination is shown.

Why it was flagged

The skill makes outbound requests to Douyin's public web endpoint using browser-like headers; this is disclosed and aligned with fetching hot-list data.

Skill content

hostname: 'www.douyin.com', path: '/aweme/v1/hot/search/list/', method: 'GET', headers: { 'User-Agent': getRandomUserAgent(), ... 'Referer': 'https://www.douyin.com/' }

Recommendation

Use reasonable request frequency and confirm this public endpoint is acceptable for your use case.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The skill may fail or behave differently in environments without Node/Python even though the registry metadata suggests no required binaries.

Why it was flagged

The package declares a Node requirement while the registry requirements section says no binaries and there is no install spec, so runtime needs are not consistently declared.

Skill content

"openclaw": { "requires": { "bins": ["node"] } }

Recommendation

Declare Node and any Python helper requirements consistently in registry metadata or documentation.