ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

抖音下载器(Node.js)

v1.0.0

抖音无水印视频下载和文案提取工具

3· 694·2 current·2 all-time
by@whille

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for whille/douyin-downloader-nodejs.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "抖音下载器(Node.js)" (whille/douyin-downloader-nodejs) from ClawHub.
Skill page: https://clawhub.ai/whille/douyin-downloader-nodejs
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: ffmpeg
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install whille/douyin-downloader-nodejs

ClawHub CLI

Package manager switcher

npx clawhub@latest install douyin-downloader-nodejs
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Douyin downloader + transcription) align with the code: it parses Douyin links, downloads videos, extracts audio, and posts audio to a transcription API. Minor mismatch: the registry metadata lists no required environment variables, but SKILL.md and the code expect an API key (DOUYIN_API_KEY or API_KEY) for transcription.
Instruction Scope
SKILL.md instructs running the included Node script and the code follows that. The code performs network requests to douyin.com (to resolve video info) and to https://api.siliconflow.cn/v1/audio/transcriptions to upload audio for transcription — this is expected for the stated feature but is important to note because it sends user audio to a third party. The SKILL.md examples reference an absolute skill workspace path; otherwise the instructions do not request unrelated system data.
Install Mechanism
This is an instruction-only skill with no install spec; nothing is downloaded or extracted by an installer, which is the lowest-risk install model.
!
Credentials
The skill requires an API key for transcription (DOUYIN_API_KEY or API_KEY) according to SKILL.md and the code, but the registry metadata reports no required environment variables or primary credential — that inconsistency is concerning because users may not realize they must provide a key. Otherwise, no unrelated credentials or high-privilege env vars are requested.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. It creates files in the specified output directories and invokes ffmpeg/ffprobe locally, which is appropriate for its purpose.
What to consider before installing
This skill appears to implement Douyin downloading and transcription, but check the following before installing: - Be aware audio is uploaded to https://api.siliconflow.cn for transcription. Do not use the skill on sensitive audio unless you trust that service and its privacy policy. - SKILL.md and the code require an API key (DOUYIN_API_KEY or API_KEY) but the registry metadata does not declare it — expect to provide that secret manually. Limit the key's scope if possible. - The code spawns both ffmpeg and ffprobe; ensure those binaries are available (ffprobe may be part of ffmpeg on some systems). The metadata only listed ffmpeg — consider this a small mismatch. - The skill writes video/audio/transcript files to the output folder you choose; run it in a sandboxed or disposable workspace if unsure. - The repository/homepage is listed (https://github.com/yzfly/douyin-mcp-server). If you plan to use it, review the full source there and the remainder of douyin.js (the provided file was truncated in the package) so you can confirm no unexpected behavior exists. If you want higher assurance, ask the publisher to update the metadata to declare the required env vars and to provide a full audit of network endpoints and any additional code paths not visible in the truncated file.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎵 Clawdis
Binsffmpeg
latestvk976k0n1tjzz2694xnt8ws5h9581nv44
694downloads
3stars
1versions
Updated 4h ago
v1.0.0
MIT-0
@whille
latest
Download

douyin-downloader Skill

抖音无水印视频下载和文案提取工具的 Node.js 版本。

功能

  • 🎬 获取无水印视频下载链接
  • 📥 下载抖音视频
  • 🎙️ 从视频中提取语音文案(需要 API Key)

环境变量

  • DOUYIN_API_KEYAPI_KEY - 硅基流动 API 密钥(用于语音转文字)

获取 API Key: https://cloud.siliconflow.cn/

使用方法

获取视频信息(无需 API Key)

node /root/.openclaw/workspace/skills/douyin-downloader/douyin.js info "抖音分享链接"

下载视频

node /root/.openclaw/workspace/skills/douyin-downloader/douyin.js download "抖音链接" -o ./videos

提取文案(需要 API Key)

export DOUYIN_API_KEY="your-api-key"
node /root/.openclaw/workspace/skills/douyin-downloader/douyin.js extract "抖音链接" -o ./output

在 OpenClaw 中调用

通过 exec 工具调用:

node /root/.openclaw/workspace/skills/douyin-downloader/douyin.js info <抖音链接>

Comments

Loading comments...