ClawHub
Back to skill
v1.0.0

douyin-to-obsidian

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:00 AM.

Analysis

The skill appears to perform its stated Douyin-to-Obsidian task, but it uses anti-bot bypass techniques and automatically installs an unverified FFmpeg executable, so users should review it carefully before running it.

GuidanceBefore installing, confirm you are comfortable with a tool that bypasses Douyin anti-automation controls and downloads FFmpeg automatically. Prefer installing FFmpeg yourself from a trusted source, run the tool in a controlled environment, and change the Obsidian output path or enable backups to avoid accidental overwrites.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
scripts/extractor.py
ffmpeg_url = "https://www.gyan.dev/ffmpeg/builds/ffmpeg-release-essentials.zip" ... requests.get(ffmpeg_url, stream=True) ... zip_ref.extract(name, cache_dir) ... os.environ["PATH"] = str(cache_dir) + os.pathsep + ...

On first Windows run, the skill downloads a third-party executable archive, extracts/copies FFmpeg into a persistent cache, and prepends it to PATH; the artifacts do not show checksum or signature verification.

User impactIf the download source or network path is compromised, the user could end up running an untrusted local executable while processing videos.
RecommendationInstall FFmpeg through a trusted package manager, or require explicit user approval plus pinned checksum/signature verification before downloading and using the binary.
Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
scripts/extractor.py
args=[ '--disable-blink-features=AutomationControlled', '--disable-web-security' ] ... Object.defineProperty(navigator, 'webdriver', {get: () => undefined});

The browser automation is configured to evade automation detection and relax browser security while scraping Douyin, matching the advertised risk-control bypass behavior.

User impactUsing the skill may violate Douyin access controls or terms, trigger IP/account risk, and run pages in a less restricted automated browser context.
RecommendationUse only for content you are authorized to process, validate that inputs are Douyin URLs, avoid disabling web security unless strictly necessary, and prefer official APIs or export methods where available.
Cascading Failures
SeverityLowConfidenceHighStatusNote
scripts/run_extract.py
base_dir = r"E:\icloud\iCloudDrive\iCloud~md~obsidian\myobsidian" ... with open(full_path, "w", encoding="utf-8") as f:

The script writes directly to a default iCloud-backed Obsidian vault path using write mode, so a same-title transcript can overwrite an existing note and then sync.

User impactA generated note could overwrite an existing Obsidian file with the same title or be automatically synced to the user's cloud storage.
RecommendationReview and change the output path before use, keep backups, and add collision-safe filenames or confirmation before overwriting existing notes.