ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Douyin Monitor Skill

Automate real-time monitoring of Douyin product prices, receive threshold alerts, AI competitor analysis reports, and visualize price trends with batch task...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 92 · 0 current installs · 0 all-time installs
by@mycar2018
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, entrypoint (main.py), config schema, and declared permissions (network, file, config) align with a Douyin price monitoring tool that can use an optional cookie and webhook. The code implements short-URL resolving, scraping (with optional Cookie), DB storage, and WeCom webhook alerts — all consistent with the stated features.
Instruction Scope
SKILL.md instructs installation and configuration and only references the Douyin cookie, wechat_webhook, and subscription_level. However: SKILL.md claims subscription_level is 'required' while config.schema.json and the code treat it as optional/default to 'basic' — a minor inconsistency. A pre-scan flagged a 'base64-block' pattern in SKILL.md (prompt-injection signal) — the visible SKILL.md doesn't show obvious base64, so this may be a false positive or there may be hidden/encoded content (or truncated content). Recommend manual review of SKILL.md and the entire skill files for any embedded/encoded instructions.
Install Mechanism
No install spec; this is essentially an instruction+script skill with one Python file and a small requirements.txt (requests). No remote downloads or archive extraction are performed by the skill itself. That is low-risk from an install mechanism perspective.
!
Credentials
The skill optionally accepts a Douyin cookie (sensitive account credential) and a WeCom webhook URL. Those are proportionate to the purpose (cookie to fetch real prices; webhook to send alerts) and are optional, but they are sensitive values. The skill reads configuration via the SKILL_CONFIG environment variable; ensure the platform manages and stores SKILL_CONFIG securely. Also note the documentation/code mismatch around 'subscription_level' being mandatory in docs but optional in code.
Persistence & Privilege
The skill runs from main.py, creates a local SQLite DB in the skill directory and writes files there — behavior consistent with a monitoring skill. 'always' is false and autonomous invocation isn't unusually privileged. Declared permissions (network, file, config) match observed behavior. The skill does not request system-wide configuration changes or access to other skills' credentials.
Scan Findings in Context
[base64-block] unexpected: A base64-block pattern was detected in the SKILL.md pre-scan. The visible SKILL.md provided in the package does not show obvious base64 content, so this may be a false positive, truncated content, or an encoded payload hidden elsewhere. Regardless, base64 blocks in skill docs or files can be used to hide instructions or payloads and warrant manual inspection of all files (including any truncated sections of main.py).
What to consider before installing
Before installing: 1) Inspect the full main.py and SKILL.md for any hidden/encoded sections (the scanner flagged a base64-like block). 2) Only provide the Douyin cookie if you understand the privacy implication — it is a sensitive credential; prefer leaving it unset and using simulated data. 3) Only configure a WeCom webhook that you control and trust (a webhook can receive posted alerts). 4) Run the skill in a sandboxed environment first (isolated user account/container) since it writes a local DB and uses network access. 5) Ask the author to clarify the subscription_level mismatch (docs say required; code defaults to 'basic') and to confirm there are no embedded/obfuscated payloads. If you are uncomfortable or cannot audit the files yourself, avoid providing secrets and run the skill with limited network/file permissions.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.7
Download zip
competitor-analysisvk97f6efc2jrgy94yryhh40891d835achdouyinvk97ac3rtmke1ca0052g5x84t2d836tsxecommercevk97ac3rtmke1ca0052g5x84t2d836tsxlatestvk97ac3rtmke1ca0052g5x84t2d836tsxprice-monitorvk97ac3rtmke1ca0052g5x84t2d836tsx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

抖音竞品监控 AI 分析师

抖音电商运营必备的自动化监控工具,支持商品价格实时监控、阈值告警、AI竞品分析报告、价格走势可视化。

功能特性

  • 抖音商品短链接自动解析,一键创建监控任务
  • 价格阈值实时告警,支持企业微信推送
  • AI自动生成竞品分析周报/月报
  • 商品价格走势可视化
  • 多任务批量管理,支持自然语言指令调用

版本与定价

基础版:永久免费,最多20个商品监控、30次告警/月、基础分析功能 专业版:99元/月,最多100个商品监控、200次告警/月、完整分析功能、专属技术支持 企业版:199元/月,无限商品/告警、多店铺管理、定制化告警渠道、私有部署支持

安装与使用

  1. 安装技能 npx clawhub@latest install douyin-monitor-skill

  2. 配置项说明

  • douyin_cookie (可选):抖音网页版Cookie,用于抓取真实商品价格,不填则使用模拟数据
  • wechat_webhook (可选):企业微信机器人Webhook地址,用于推送告警信息
  • subscription_level (必填):订阅等级,可选值为 basic, pro, enterprise
  1. 基础指令示例
  • 创建监控:监控抖音商品 https://v.douyin.com/xxx/ 低于180元告警
  • 查看任务:查看监控任务
  • 生成报告:生成竞品分析周报
  • 价格走势:画出商品123456 7天价格走势

付费升级与定制

联系 QQ:745934958 (备注:抖音监控) 提供专业版升级、企业定制化开发(多平台监控、私有部署)等服务。

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…