ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

短视频去水印下载。检测到抖音、快手、小红书、B站、微博、西瓜视频等平台链接时,自动解析并下载无水印视频,直接发送文件给用户。

v1.0.0

短视频去水印下载。检测到抖音、快手、小红书、B站、微博、西瓜视频等平台链接时,自动解析并下载无水印视频,直接发送文件给用户。

1· 134·0 current·0 all-time
bydouzi@sjzai

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sjzai/qushuiyin.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "短视频去水印下载。检测到抖音、快手、小红书、B站、微博、西瓜视频等平台链接时,自动解析并下载无水印视频,直接发送文件给用户。" (sjzai/qushuiyin) from ClawHub.
Skill page: https://clawhub.ai/sjzai/qushuiyin
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install qushuiyin

ClawHub CLI

Package manager switcher

npx clawhub@latest install qushuiyin
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description match the implementation: the skill accepts short-video links, calls a parsing API, downloads the resulting video, and returns it. However, the implementation expects a web-accessible storage location (/www/wwwroot/default/videos) and an HTTP base URL, which the SKILL metadata does not declare as required configuration or permissions. Rehosting files under the agent's webroot is a capability that should be explicitly disclosed.
!
Instruction Scope
SKILL.md instructs the agent to auto-trigger on any message containing target-platform links and run the included script. The script sends the provided video URL to an external API (https://qyapi.ipaybuy.cn/api/video) and downloads the returned file. That means user-supplied links (and therefore potentially private or sensitive URLs) are transmitted off-host without any explicit opt-in beyond the skill description. Automatic invocation on any matching message increases the blast radius.
Install Mechanism
There is no install spec (instruction-only plus a small script bundled). Nothing is downloaded at install time and no external binaries are pulled, so install mechanism risk is low.
!
Credentials
The skill declares no required env vars or credentials, but the bundled script contains hard-coded placeholders for APP_ID, APP_KEY ('密钥'), and SERVER_IP ('服务器ip'). The code expects to use a third-party API and to construct a public BASE_URL for served videos. Required configuration/credentials are not declared, and the external API endpoint is untrusted/unknown — user data (URLs) will be sent there. Writing into a webroot and exposing files publicly is a disproportionate side-effect not reflected in metadata.
!
Persistence & Privilege
The skill writes downloaded videos into /www/wwwroot/default/videos and exposes them via HTTP on port 8899. While always:false (not force-installed), the skill is allowed to invoke autonomously and is configured to auto-run on matching messages; combined with external uploads and persistent storage this is a notable privilege (data is persisted and publicly exposed).
What to consider before installing
Before installing, consider these points: - This skill will automatically send any detected short-video link to an external API (https://qyapi.ipaybuy.cn) for parsing — if you don't trust that service, do not install it. The service will receive the URLs and potentially other metadata. - Downloaded videos are stored under /www/wwwroot/default/videos and served via HTTP on port 8899. That rehosts content publicly; check permissions, privacy, copyright, and whether you want files placed in your webroot. - The bundled script contains hard-coded placeholders for APP_ID/APP_KEY and SERVER_IP. The skill doesn't declare these as required config — you would need to edit the script or otherwise provide credentials/host info. That mismatch is suspicious and could lead to accidental leaks if real keys are later inserted without proper controls. - Because the skill auto-runs on any message containing matching links, it can exfiltrate links without explicit user confirmation. If you proceed, consider disabling autonomous invocation, sandboxing the skill, or replacing the third-party API with a trusted in-house parser and configuring storage to a safe location. - If you must use it: review the external API's privacy policy, run the script in a restricted environment, set proper file permissions, and replace placeholders with your own trusted credentials and server only after careful review.

Like a lobster shell, security has layers — review code before you run it.

latestvk97djxweez3hby7f1z31axnhy583v3ye
134downloads
1stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
douzi@sjzai
latest
Download

Video Download Skill

触发条件

用户消息中包含以下任意短视频平台链接时,无需任何触发词,自动执行

  • 抖音: v.douyin.com / douyin.com
  • 快手: v.kuaishou.com / kuaishou.com
  • 小红书: xhslink.com / xiaohongshu.com
  • B站: b23.tv / bilibili.com
  • 微博: weibo.com
  • 西瓜视频: ixigua.com

执行步骤

  1. 从消息中提取 URL(正则: https?://[^\s]+,匹配上述域名)
  2. 运行脚本: 
    python3 /root/.openclaw/skills/video-download/scripts/download.py '<url>'
  3. 解析输出:
    • 成功(SUCCESS:开头)→ 回复下载链接
    • 失败(FAIL:开头)→ 回复错误原因

回复格式

成功后:

  1. message 工具直接发送视频文件(media 参数填本地文件路径,channel 对应来源频道)
  2. 回复文字:✅ 无水印视频已发送

如果发文件失败,则回复下载链接:

✅ 无水印视频:http://81.70.156.92:8899/videos/xxx.mp4

失败:

❌ 解析失败:<原因>

注意事项

  • 不需要 Cookie,使用第三方 API 解析
  • 文件保存于 /www/wwwroot/default/videos/,通过 nginx 8899 端口提供下载
  • 支持抖音分享文字(含杂文字),自动提取 URL

Comments

Loading comments...