ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

tiktok-downloader

v1.0.0

Download TikTok videos by URL or hashtag. Handles 403 errors, cookies, and user-agent rotation. Use for downloading TikTok videos, batch downloading from a l...

0· 121·2 current·2 all-time
by@kgc-yj

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for kgc-yj/tiktok-downloader.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "tiktok-downloader" (kgc-yj/tiktok-downloader) from ClawHub.
Skill page: https://clawhub.ai/kgc-yj/tiktok-downloader
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install tiktok-downloader

ClawHub CLI

Package manager switcher

npx clawhub@latest install tiktok-downloader
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (download TikTok videos, handle 403s via cookies and UA rotation) aligns with the included script, but the package declares no required binaries or config paths while the SKILL.md and script explicitly require yt-dlp, a browser, and a specific cookie directory (/home/ubuntu/.browser_data_dir). Those are legitimate needs for this purpose but should have been declared; the hardcoded absolute path and lack of declared requirements are inconsistent.
!
Instruction Scope
Runtime instructions tell the agent to navigate with the browser tool to create/refresh cookies and then to extract cookies from /home/ubuntu/.browser_data_dir. That directs the agent to read local browser data (sensitive), and the instructions give the agent discretion to log in via the browser — both actions go beyond a simple downloader and increase exposure of credentials/session tokens. The instructions also assume presence of yt-dlp and a Chromium browser without declaring them.
Install Mechanism
There is no install spec (instruction-only plus a small shell script). No external downloads or archive extraction are performed by the skill itself. The included script is short and directly calls yt-dlp; no additional packages are pulled by the skill.
!
Credentials
The skill requests no environment variables, but it requires access to a browser cookie directory (effectively a form of credential access). That access is sensitive and not declared in requires.config or similar metadata. The skill could read other cookies or session tokens in that directory; this level of filesystem credential access should be explicitly declared and minimized.
Persistence & Privilege
The skill is not always-enabled and does not request elevated/persistent privileges. It does not attempt to modify other skills or system-wide configs.
What to consider before installing
This skill appears to do what it says, but it asks the agent to read your browser cookie directory (a sensitive source of session tokens) and assumes yt-dlp and a Chromium profile exist even though those are not declared. Before installing: 1) Inspect the script yourself (it's short) to confirm no network exfiltration — the included script does not POST to external endpoints. 2) Avoid giving it unrestricted access to your real browser profile; instead create a dedicated browser profile with only TikTok cookies or run in an isolated/VM environment. 3) Ensure yt-dlp is installed from a trusted source if you intend to use the skill. 4) Ask the publisher to declare required binaries and the config path in metadata, or remove hardcoded absolute paths so you can control which cookie store is used.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f8f3n58bw7xrxn4wc7cd89983ewwt
121downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@kgc-yj
latest
Download

TikTok Downloader

This skill provides a robust workflow for downloading TikTok videos, overcoming common anti-bot measures like 403 Forbidden errors and login requirements.

Core Workflow

1. Single Video Download

To download a specific TikTok video, use the provided script:

/home/ubuntu/skills/tiktok-downloader/scripts/download_tiktok.sh <VIDEO_URL> [OUTPUT_DIR]

2. Handling 403 Forbidden Errors

If yt-dlp fails with a 403 error, follow these steps:

  1. Navigate to the URL using the browser tool to establish a session and cookies.
  2. Run the script again. It is pre-configured to extract cookies from the browser's data directory (/home/ubuntu/.browser_data_dir).

3. Batch Downloading

For multiple videos:

  1. Save all URLs to a text file (e.g., urls.txt).
  2. Use yt-dlp with the following recommended flags: 
    yt-dlp --no-warnings \
  --cookies-from-browser "chromium:/home/ubuntu/.browser_data_dir" \
  --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" \
  --add-header "Referer:https://www.tiktok.com/" \
  -o "%(uploader)s - %(title).80s.%(ext)s" \
  --batch-file urls.txt

Best Practices

  • Browser Navigation: Always visit at least one TikTok video page in the browser before starting a batch download to ensure cookies are fresh.
  • Hashtag Pages: TikTok hashtag pages often require login. If a hashtag page fails to load, ask the user to log in via the browser or search for individual video URLs using the search tool.
  • Output Naming: Use %(uploader)s - %(title).80s.%(ext)s to keep filenames organized and avoid filesystem length limits.
  • Rate Limiting: For large batches, add sleep between downloads to avoid IP bans.

Comments

Loading comments...