M3U8 Media Downloader
v1.0.3Use @lzwme/m3u8-dl for media download and video info parsing. Use when the user mentions video/music download (m3u8/HLS/mp4/mp3 or 抖音/皮皮虾/微博视频), or 获取视频信息、解析...
⭐ 1· 361·2 current·2 all-time
by任侠@renxia
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, required binaries (m3u8dl, ffmpeg), and the install formula (@lzwme/m3u8-dl@1.9.0) all directly support downloading and parsing m3u8/HLS and social sharing links. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs using the m3u8dl CLI (info, parser, server) and Node API; it references expected inputs (URLs, batch list files) and optional WebUI env vars. It does not instruct the agent to read unrelated system files or unrelated environment variables. Note: the skill legitimately reads user-provided files (batch lists) and can request custom headers (which may include cookies) — both are functionally appropriate but can carry sensitive data if supplied.
Install Mechanism
Install uses an npm package formula (@lzwme/m3u8-dl@1.9.0) which is reasonable for a CLI written in Node. The package is pinned to a specific version (good). Installing an npm package is a moderate-risk operation because it writes code and binaries to disk; user should verify the package (npm view / GitHub) before installing.
Credentials
The skill requires no global secrets or unrelated credentials. It documents optional WebUI env vars (DS_PORT, DS_SECRET, DS_SAVE_DIR, DS_CACHE_DIR, DS_FFMPEG_PATH); DS_SECRET is appropriately flagged as sensitive. No disproportionate or unexplained env access is requested.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation. The skill does not request permanent presence or modify other skills or system-wide settings. Running the WebUI launches a local server — that is expected behavior but should be managed carefully.
Assessment
This skill appears to do what it says, but take these precautions before installing or running it: 1) Review the npm package and GitHub source for @lzwme/m3u8-dl@1.9.0 (npm view and the repo) to confirm you trust it. 2) Install/run in an isolated environment (container or VM) and ensure ffmpeg comes from a trusted source. 3) If you run the WebUI, do not expose it to the public network and set a strong DS_SECRET to prevent access. 4) Be careful when supplying custom headers or cookies (they can contain credentials). 5) Avoid using the tool to fetch private/internal URLs unless you understand the security implications. If you want lower risk, use the Node API or CLI on a disposable system and inspect downloaded files before opening.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
🎞️ Clawdis
Binsm3u8dl, ffmpeg
Install
Install m3u8-downloader CLI (node)
Bins: m3u8dl
latest
m3u8-downloader
Download m3u8/mp4 video and mp3/music, support 抖音、皮皮虾、微博 sharing links. Multi-thread download, WebUI, batch and Node API.
Example:
使用 m3u8-media-downloader 下载抖音视频/获取该视频详情:https://v.douyin.com/CW1iv0GeSJM/
Main capabilities
- m3u8/HLS & mp4 — download and merge to mp4 (ffmpeg required for ts→mp4)
- Music — mp3/m4a from m3u8/stream sources
- 抖音/皮皮虾/微博 — parse or download sharing links
CLI
# 推荐方式:固定版本执行
m3u8dl <urls...> [options]
m3u8dl info <url> # 解析视频信息
m3u8dl server # 启动 WebUI (http://localhost:6600)
Key options
| Option | Description |
|---|---|
-f, --filename <name> | Output filename |
-n, --thread-num <n> | Download threads (default: 4) |
-S, --save-dir <dir> | Save directory |
-T, --type <type> | m3u8 (default) | parser | web |
-H, --headers <json> | Custom request headers |
--ffmpeg-path <path> | ffmpeg path (for mp4 conversion) |
Quick examples
# Basic download
m3u8dl https://example.com/video.m3u8 -f "My Video" -S ./downloads
# 抖音/皮皮虾/微博 sharing link
# parser and download video
m3u8dl "https://v.douyin.com/xxxxx/" --type parser
# parser and print info
m3u8dl info "https://h5.pipix.com/xxxxx"
# With name: "name|url"
m3u8dl "Episode 1|https://example.com/ep1.m3u8"
# Batch: file with one "filename$url" per line
m3u8dl series-list.txt -f "Series Name"
# Extract m3u8 from web page
m3u8dl "https://example.com/play/123" --type web
WebUI
m3u8dl server [-P <port>] [-t <token>]
# Optional env vars for customization: DS_PORT, DS_SECRET, DS_SAVE_DIR, DS_CACHE_DIR, DS_FFMPEG_PATH
Open http://localhost:6600 to manage tasks in browser.
Security Considerations
⚠️ Important Security Notice
- Version Pinning: This skill uses pinned version
@1.9.0to prevent execution of different code on each run - Code Review: Inspect the package via
npm view @lzwme/m3u8-dl@1.9.0or GitHub before execution - Sandbox Environment: Run download tasks in an isolated environment with restricted filesystem permissions
- ffmpeg Installation: Ensure ffmpeg is installed from official or trusted sources only
- Sensitive Variables:
DS_SECRETis sensitive - configure carefully to protect WebUI access - Legal Compliance: Ensure downloads comply with local laws and source site terms of service
Node API
import { m3u8Download, VideoParser, m3u8BatchDownload } from '@lzwme/m3u8-dl';
// Download m3u8/mp4
await m3u8Download(url, { filename: 'video', saveDir: './downloads' });
// Parse 抖音/皮皮虾/微博
const parser = new VideoParser();
const info = await parser.parse('https://v.douyin.com/xxxxx/');
await parser.download(info, { saveDir: './downloads' });
// Batch download
await m3u8BatchDownload(['name1$url1', 'name2$url2'], { saveDir: './downloads' });
Scenario guide
| Scenario | CLI | Node API |
|---|---|---|
| m3u8/mp4 URL | m3u8dl <url> | m3u8Download(url) |
| 抖音/皮皮虾/微博 | --type parser or info <url> | VideoParser.parse() |
| Web page with m3u8 | --type web | getM3u8Urls() |
| Batch download | "name|url" or file | m3u8BatchDownload() |
| mp4 conversion | Requires ffmpeg | Set ffmpegPath |
LINKS
Comments
Loading comments...