Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Douyin Video Publisher
v1.0.0自动登录抖音账号,上传并发布视频到抖音创作者平台,支持视频标签管理和登录状态检查。
⭐ 22· 5.5k·47 current·48 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes an automated Douyin publisher that relies on a local MCP server, Puppeteer/Chrome, mcporter and uvx commands. However, the skill metadata declares no required binaries, env vars, or install steps — those runtime dependencies are missing from the manifest and should be declared.
Instruction Scope
Instructions are focused on publishing videos and managing login state (including cookie persistence and SMS verification). They reference specific local paths (video files, cookie file, skill directory) and tell the user to add MCP server commands to configuration. These actions are within the stated purpose but grant the helper servers access to local files and account cookies, which is sensitive and should be explicitly documented.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded or written by the skill itself. Risk comes from the external MCP server code the user is instructed to run — the manifest does not provide or vouch for that code.
Credentials
No environment variables or credentials are declared, yet the instructions expect running local node processes, mcporter/uvx commands and using Chrome and a cookies file (~/.../douyin-cookies.json). The skill implicitly requires access to local account cookies and files but does not declare or justify those requirements in metadata.
Persistence & Privilege
always is false and the skill does not request special platform-wide privileges. The skill will rely on a persistent cookie file for login state, but it does not request forced inclusion or modification of other skills.
What to consider before installing
This skill's instructions are plausible for automating Douyin publishing, but the package metadata omits key runtime dependencies (node, mcporter, uvx, Chrome) and asks you to run external MCP server code that will store and use account cookies. Before running anything: (1) verify the origin and integrity of the MCP server code (don’t run untrusted node scripts); (2) confirm you have and trust mcporter/uvx and understand what those tools will execute; (3) inspect the MCP server repository for any code that might exfiltrate cookies or files; (4) consider running the MCP server in an isolated environment or container and limit its filesystem access; (5) be cautious about storing account cookies — treat them like passwords; and (6) ask the skill author to update the manifest to list required binaries and a homepage/repo so you can review the implementation. If the author provides a reputable repository and updates the manifest to declare node/mcporter/uvx/Chrome requirements, my confidence that the skill is coherent would increase.Like a lobster shell, security has layers — review code before you run it.
douyinvk97a4tv51h9mexmzj54sws36wd8136yelatestvk97a4tv51h9mexmzj54sws36wd8136yemcpvk97a4tv51h9mexmzj54sws36wd8136yeshort-videovk97a4tv51h9mexmzj54sws36wd8136yetiktokvk97a4tv51h9mexmzj54sws36wd8136yevideo-uploadvk97a4tv51h9mexmzj54sws36wd8136ye
License
MIT-0
Free to use, modify, and redistribute. No attribution required.