ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Save Douyin Video To Feishu Drive

从抖音分享链接或视频页 URL 解析出可下载的视频直链、标题与描述,并可下载到本地或上传到飞书云盘。适用于需要解析抖音 URL(短链、/video/、/note/、modal_id 等)并获取真实播放地址或下载视频时使用。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 486 · 3 current installs · 4 all-time installs
by@kuaner
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match the included script: it parses Douyin URLs, downloads video, and can upload to Feishu Drive. However, the package metadata claims no required binaries while SKILL.md and the script clearly require at least Node (Node 18+), and SKILL.md examples also use curl and python3. The absence of these requirements in metadata is an inconsistency.
!
Instruction Scope
SKILL.md instructs network operations (fetching Douyin and Feishu APIs), downloading files to temp directories, and uploading to Feishu — all consistent with purpose. Concerning items: SKILL.md suggests saving app_id/app_secret and folder_token into TOOLS.md (plaintext storage), and provides a curl|python snippet that assumes curl and python3 are available. The guidance to save secrets in a shared preferences file expands scope and increases risk.
Install Mechanism
No install spec — the skill is instruction + a single JavaScript script. Nothing is downloaded from external arbitrary URLs at install time. Risk is primarily runtime (script execution) rather than installer behavior.
!
Credentials
The skill requires Feishu credentials to upload (app_id/app_secret or tenant token and folder token). That is proportional to upload functionality, but SKILL.md recommends storing these secrets in TOOLS.md (plaintext) which is insecure. Also SKILL.md recommends giving the robot 'drive:drive.metadata:readonly' permission even though the script performs uploads (write operations) — this permission guidance appears incorrect or inconsistent with required capabilities.
Persistence & Privilege
always:false and no automatic autonomous persistence are appropriate. The only persistence the skill requests is that the user save preferences into TOOLS.md; this is user-directed, but the guidance to store secrets there is risky. The skill does not request system-wide config changes or other skills' credentials.
What to consider before installing
This skill appears to implement the described functionality, but review before use: 1) Required tooling is understated — you need Node 18+ to run the script, and SKILL.md examples assume curl and python3; ensure these are present. 2) Do NOT store app_id/app_secret or access tokens in plaintext TOOLS.md or shared files; prefer ephemeral tokens or secure secret storage (environment variables or a secrets manager). 3) The README suggests a readonly Feishu permission (drive.metadata:readonly) which contradicts the script's upload behavior — confirm required Feishu scopes (upload needs write permissions). 4) Run the script in a sandboxed environment (or with limited privileges) the first few times and inspect network calls if possible. 5) If you need higher confidence, ask the publisher for: a homepage/source repo, explanation of Feishu scopes required, and a statement that secrets will not be logged or stored insecurely. If you proceed, avoid embedding long-lived credentials in plain files.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9704zzqkvknjes6b99sbcdssx8273c2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

何时使用

  • 用户提供抖音分享链接或视频页 URL,需要得到可下载的视频地址或直接下载视频文件
  • 需要将视频上传到飞书云盘并获取分享链接

使用方式选择

用户可以使用以下任一方式处理抖音视频:

方式一:上传飞书云盘(推荐)

# 获取飞书token
TOKEN=$(curl -s -X POST "https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal" \
  -H "Content-Type: application/json" \
  -d '{"app_id":"<app_id>","app_secret":"<app_secret>"}' | python3 -c "import json,sys; print(json.load(sys.stdin)['tenant_access_token'])")

# 执行上传
node scripts/parse-douyin-video.js <抖音URL> --feishu <token> <folder_token>
  • 优点:支持大文件(>30MB),用户可直接在云盘下载
  • 返回:feishu_url(云盘链接)

首次使用需要配置:

  1. 在飞书云盘创建一个文件夹(如"抖音视频")
  2. 将文件夹分享给机器人,添加成员并设置权限
  3. 参考 飞书开放平台文档 开通文件夹权限
  4. 给机器人分配 drive:drive.metadata:readonly 权限

方式二:仅解析

node scripts/parse-douyin-video.js <抖音URL>
  • 返回:title, desc, video_urls 等信息
  • 适用于:只需要视频直链
  • ⚠️ 注意:返回的 video_url 直接访问会403,需要在请求时添加 Referer: https://www.douyin.com/ 才能下载

方式三:下载到本地

# 下载到临时目录(自动创建临时目录)
node scripts/parse-douyin-video.js <抖音URL> --download

# 下载到指定路径
node scripts/parse-douyin-video.js <抖音URL> /path/to/video.mp4
  • 返回:download_path
  • ⚠️ 飞书聊天发送限制:文件大小 ≤ 30MB,超过则需要使用方式一(上传云盘)
  • ⚠️ 通过飞书发送文件时:
    • 上传接口 file_type 必须用 "stream"(不是 mp4)
    • 发送消息接口 msg_type 用 "file"
    • content 必须是字符串格式:"{\"file_key\":\"xxx\"}"

配置用户偏好

当用户选择了使用方式后,需要将偏好配置保存到 TOOLS.md:

## 抖音视频处理(使用偏好)

### 固定配置
- **飞书token获取**: app_id / app_secret
- **云盘文件夹**: folder_token

### 使用方式
收到抖音链接时,自动使用【飞书云盘】方式上传

常见错误

  • 1061004: forbidden - 云盘文件夹未分享给机器人

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…