ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

gnview-douyin-video-download

v1.0.0

Download Douyin videos without watermark by using curl with a Referer header to bypass anti-leech and save files to configured paths.

0· 19·0 current·0 all-time
by@gnview
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill purpose (download Douyin videos by sending curl with a Referer) is coherent with the SKILL.md. However the metadata declares no required binaries while the instructions rely on curl, and the README mentions automatically using a config.json (no config paths declared) — minor mismatches between claimed requirements and actual instructions.
!
Instruction Scope
The instructions are mostly limited to constructing and running a curl command, which is in-scope. But they also state '自动使用config.json中的配置参数' and instruct obtaining the 'real playback URL' via Douyin API or third‑party tools. The skill does not declare any config paths; that ambiguity could cause the agent to look for or read a local config.json or to query external services to locate real video URLs.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest risk from installed artifacts.
Credentials
No environment variables or credentials are requested, which is appropriate. Still, the SKILL.md's reference to a local config.json and to third‑party tools increases the chance the agent will access local files or external services despite no declared permissions.
Persistence & Privilege
No special persistence or elevated privileges requested; always:false and the skill is user-invocable only (normal).
What to consider before installing
This skill is simple and appears to do what it says (use curl with a Referer to download Douyin video files), but be aware of a few issues before installing: - The SKILL.md assumes curl and a config.json but the metadata doesn't declare them. Confirm curl is available and inspect any config.json the agent might read; otherwise the agent could try to read arbitrary local files. - The skill asks you to obtain the 'real playback URL' via Douyin API or third‑party tools — that will cause network requests to external services. Only allow this skill if you trust those sources and the content you download. - Running the curl command will contact external domains and save files to disk. Ensure you have permission to download the videos (copyright/legal concerns) and that the download path is safe. If you plan to enable autonomous invocation, consider adding explicit config path and binary requirements (curl, path to config.json) or restrict the skill to manual invocation so you can review commands before they run.

Like a lobster shell, security has layers — review code before you run it.

latestvk979tt229w638vew6j6fksjhdd84nz4a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments