Video Crawler
Extract videos from Douyin and Twitter by providing platform and URL, outputting the downloaded video file or an error message.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 351 · 5 current installs · 5 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description, the SKILL.md, and the code align: the script uses Playwright + requests to fetch Douyin videos and yt-dlp to fetch Twitter/X videos. The declared dependencies in the README (playwright, requests, yt-dlp) are appropriate for the stated functionality. However, the code includes a hard-coded DASHSCOPE_API_KEY constant (looks like an sk-... secret) that has no role in the stated purpose — this is unexpected and unexplained.
Instruction Scope
SKILL.md gives clear, limited runtime instructions (install dependencies, run python3 video_crawler.py <platform> <url> [output]). The instructions do not ask the agent to read unrelated files or environment state. The implementation performs network requests and writes temporary files in /tmp (expected for downloading). The only scope discrepancy is that SKILL.md does not mention any API key or external service that would justify the embedded secret.
Install Mechanism
This is an instruction-only skill (no registry install spec). The README recommends pip install of third-party packages and running 'playwright install chromium' — normal for this functionality but note that pip package installation and Playwright's browser install will download and execute code from upstream package indexes/CDNs. That is expected but carries the usual supply-chain risk.
Credentials
The skill declares no required environment variables or credentials, yet the Python source contains a hard-coded constant named DASHSCOPE_API_KEY with a value that looks like an API secret (sk-...). Embedding such a secret in code is a mismatch with the declared requirements and is a sensitive risk (exposed credential or backdoor). The key is not used anywhere in the file, which suggests it may be leftover, accidentally committed, or a hidden/unneeded back channel — none of which are good signs.
Persistence & Privilege
The skill does not request persistent installation hooks, does not set always: true, and does not modify other skills or system-wide agent settings. It runs as an on-demand script and writes downloaded files to /tmp — within expected privilege for its purpose.
What to consider before installing
This skill appears to do what it says (download Douyin/X videos), but the embedded hard-coded API key in the source is a red flag. Before installing or running it: (1) ask the author why the DASHSCOPE_API_KEY exists and request its removal; (2) do not run it on machines or accounts that hold sensitive credentials; run it in an isolated sandbox/container if you must test; (3) if the key belongs to you or your org, assume it is compromised and rotate/revoke it immediately; (4) consider manually reviewing the code (or having a trusted reviewer do so) for any other hidden endpoints or secrets; and (5) prefer a version from a known, reputable source or one that does not contain embedded secrets.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download zipcrawlerdouyinlatesttwittervideo
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Video Crawler - 视频抓取技能
一键抓取抖音和推特视频。
依赖安装
pip install playwright requests yt-dlp
playwright install chromium
使用方法
python3 video_crawler.py <平台> <链接> [输出文件]
抓取抖音视频
python3 video_crawler.py douyin "https://v.douyin.com/xxx"
抓取推特视频
python3 video_crawler.py twitter "https://x.com/i/status/xxx"
支持的平台
| 平台 | 命令 | 示例 |
|---|---|---|
| 抖音 | douyin | https://v.douyin.com/xxx |
| 推特 | https://x.com/i/status/xxx |
输出
- 成功:输出文件路径
- 失败:输出错误信息
注意事项
- 抖音视频可能需要 15-25 秒
- 推特视频文件较大,注意 Telegram 16MB 限制
Files
2 totalSelect a file
Select a file to preview.
Comments
Loading comments…