ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Douyin Upload Skill

v0.1.0

Login and publish Douyin (China mainland) videos from local files with OAuth, local speech-to-text, and generated caption drafts. Use when users ask to autho...

0· 512·1 current·1 all-time
by@yjli-new

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yjli-new/douyin-upload-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Douyin Upload Skill" (yjli-new/douyin-upload-skill) from ClawHub.
Skill page: https://clawhub.ai/yjli-new/douyin-upload-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install yjli-new/douyin-upload-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install douyin-upload-skill
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md implement a Douyin OAuth + upload + local/third-party ASR + fallback outbox workflow that matches the skill name and description. However the registry metadata claims no required environment variables while SKILL.md and the code require DOUYIN_CLIENT_KEY, DOUYIN_CLIENT_SECRET, and DOUYIN_REDIRECT_URI (and optionally DOUYIN_ASR_API_KEY, DOUYIN_TOKEN_ENC_KEY, etc.). This metadata omission is an inconsistency you should be aware of.
!
Instruction Scope
Runtime instructions and the code operate on local video files, compute SHA256, extract audio, run local binaries (ffmpeg/whisper-cli) and may send audio to a configured ASR API. By default the config sets asrMode='api', and DEFAULT_ASR_API_URL is set to OpenAI's transcription endpoint — meaning audio may be uploaded to a third‑party by default unless you explicitly configure local whisper mode. The tool also writes transcript cache, outbox packages, and encrypted tokens under ~/.config/. These behaviors are consistent with the tool's functionality but are privacy-sensitive and not explicitly emphasized in the registry metadata.
Install Mechanism
There is no external install spec (no downloaded installers or remote archives); the package contains Node.js scripts. The code expects local binaries (ffmpeg, ffprobe, whisper-cli, xdg-open). This is lower risk than fetching remote executables, but it does rely on running local command-line tools.
Credentials
The environment variables requested by SKILL.md and used in code (DOUYIN_CLIENT_KEY, DOUYIN_CLIENT_SECRET, DOUYIN_REDIRECT_URI, optional DOUYIN_ASR_API_KEY, DOUYIN_TOKEN_ENC_KEY, etc.) are proportionate to a CLI that authenticates with Douyin and optionally calls an ASR API. The registry metadata incorrectly lists zero required env vars — a mismatch. Also DOUYIN_ASR_API_KEY can cause audio to be sent to a third-party if asrMode is left as 'api'.
Persistence & Privilege
The skill stores encrypted tokens and a local key file under standard per-user paths (~/.config, ~/.cache, ~/.local/share). It does not request system-wide or other skills' credentials and it does not set always:true. Token storage uses AES-256-GCM with a key derived from an env var or a local token.key file. This is expected for persistent CLI credentials but creates a persistent local artifact you should manage and protect.
What to consider before installing
This tool appears to do what it claims (authorize Douyin, transcribe, draft captions, and publish or export a fallback package). Before installing or running it: - Expect to set DOUYIN_CLIENT_KEY, DOUYIN_CLIENT_SECRET, and DOUYIN_REDIRECT_URI — the registry metadata omits these required env vars. - If you do NOT want your audio uploaded to a cloud ASR service, set DOUYIN_ASR_MODE to whisper-gpu or whisper-cpu and ensure whisper-cli and the model are installed; otherwise the default mode ('api') will POST audio to the configured ASR API (DEFAULT_ASR_API_URL is the OpenAI transcription endpoint). - The tool writes encrypted tokens and a local key file under ~/.config/douyin-upload-skill; if you provide DOUYIN_TOKEN_ENC_KEY it will use that instead. Protect these files and review token persistence policy if you share the machine. - The fallback outbox includes source-path.txt (the original local path) and transcript/caption files — review these before copying or sharing the outbox. - If you need assurance about what external endpoints are contacted, inspect/modify config.asrApiUrl and the code; the Douyin endpoints used are https://open.douyin.com and the ASR endpoint is configurable. Given the metadata mismatch and privacy-impacting default (ASR API), proceed only after confirming environment variables and setting ASR mode to local if you require on‑device transcription.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f7c064qfxqgbybeqgtn326s8289gd
512downloads
0stars
1versions
Updated 1h ago
v0.1.0
MIT-0
@yjli-new
latest
Download

Douyin Upload Skill

Overview

Use this skill to publish local videos to Douyin with a deterministic CLI flow:

  1. Validate local dependencies and env.
  2. OAuth authorize and store encrypted token locally.
  3. Prepare video metadata and transcript from local audio.
  4. Generate 3 caption candidates in chat from transcript.
  5. Confirm or edit caption, then publish.
  6. If official publish permission is unavailable, export an outbox package for manual publish.

Use the script at <skill_root>/scripts/douyin.js.

Required Environment

Set these environment variables before auth or publish:

  • DOUYIN_CLIENT_KEY
  • DOUYIN_CLIENT_SECRET
  • DOUYIN_REDIRECT_URI

Optional overrides:

  • DOUYIN_SCOPE
  • DOUYIN_TOKEN_ENC_KEY
  • DOUYIN_ASR_MODE (api / whisper-gpu / whisper-cpu)
  • DOUYIN_ASR_API_URL
  • DOUYIN_ASR_API_MODEL
  • DOUYIN_ASR_API_KEY
  • DOUYIN_WHISPER_BIN
  • DOUYIN_WHISPER_MODEL_PATH
  • DOUYIN_FFMPEG_BIN
  • DOUYIN_FFPROBE_BIN

Workflow

  1. Run dependency checks:
node <skill_root>/scripts/douyin.js doctor
  1. Authorize account (manual code paste flow):
node <skill_root>/scripts/douyin.js auth
  1. Prepare transcript and metadata from a local video path. Accept both Linux and Windows path formats.
node <skill_root>/scripts/douyin.js prepare --video "E:\\videos\\demo.mp4"
  1. Create 3 caption candidates from transcript.text with this structure:
  • Line 1: title hook
  • Line 2-3: concise description
  • Final line: 2-5 hashtags

  1. Ask user to select or edit one final caption.

  2. Publish with explicit visibility and confirmation policy:

node <skill_root>/scripts/douyin.js publish \
  --video "E:\\videos\\demo.mp4" \
  --text "<final caption>" \
  --private-status 0 \
  --auto-confirm false

Command Behavior

  • doctor: reports dependency and env readiness plus install hints.
  • auth: opens OAuth URL, accepts pasted callback URL or code, stores encrypted token.
  • prepare: returns metadata, transcript, and ASR failure detail (without stopping publish flow).
  • publish: uploads and creates video via official API. If permission-like API errors occur, writes fallback files under outbox and returns mode: fallback.
  • config: stores persistent settings (defaultPrivateStatus, autoConfirm, whisperBin, whisperModelPath, outboxDir, etc.).

Caption Rules

Before publish:

  • Keep final text length <= 1000.
  • Always show the final draft to the user.
  • If auto-confirm is false, require explicit user confirmation in terminal.

Output Contracts

Treat script stdout as JSON. Always parse and branch by:

  • ok
  • command
  • mode (official or fallback for publish)
  • asrError (optional in prepare)

Comments

Loading comments...