ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Douyin Transcribe

v1.0.1

全自动抖音视频下载 + 语音转文字管道。当用户发送抖音链接并要求转写文字、提取字幕、语音转文本时使用。触发词包括"抖音转写"、"抖音文字"、"抖音转文本"、"抖音字幕"、"douyin transcribe"。

0· 115·0 current·0 all-time
by@mengzi53

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for mengzi53/xiaofei-ziyong-douyin-transcribe.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Douyin Transcribe" (mengzi53/xiaofei-ziyong-douyin-transcribe) from ClawHub.
Skill page: https://clawhub.ai/mengzi53/xiaofei-ziyong-douyin-transcribe
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install xiaofei-ziyong-douyin-transcribe

ClawHub CLI

Package manager switcher

npx clawhub@latest install xiaofei-ziyong-douyin-transcribe
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Douyin download + local transcription) matches the code: Node script to obtain a CDN video URL, curl to download, ffmpeg to extract audio, and a local ASR (coli/faster-whisper). However the Node script imports puppeteer-core from a hardcoded /tmp path and launches Chrome at /usr/bin/google-chrome — these hardcoded paths are unusual and not explained in the SKILL.md.
!
Instruction Scope
SKILL.md instructs installing coli, the sensevoice model, Node/ffmpeg — consistent with purpose — but the code (feishu_upload.py) reads FEISHU_APP_TOKEN and FEISHU_TOKEN from the environment in a subprocess (even though the README doesn't declare these env vars). The Node script navigates to an external parsing site (hellotik.app) and intercepts network requests; that is expected for extracting CDN links but means the skill will load external web content and rely on it. Overall the runtime instructions and code reference environment variables and behaviors not clearly documented.
Install Mechanism
There is no install spec in the registry (instruction-only), which is lower risk, but SKILL.md asks the operator to globally install npm packages and download a ~60MB model from GitHub. The Node script expects puppeteer-core to be available at /tmp/puppeteer_test/node_modules/puppeteer-core and expects a local Chrome binary at /usr/bin/google-chrome; those implicit / non-standard install expectations are fragile and surprising.
!
Credentials
The registry declares no required env vars, but feishu_upload.py attempts to read FEISHU_APP_TOKEN and FEISHU_TOKEN (via a python -c stub) and the Node script can read DOUYIN_URL from the environment (transcribe.py sets this when invoking). The skill's docs do not declare FEISHU_APP_TOKEN/FEISHU_TOKEN as required; that mismatch could surprise users. Otherwise the skill does not demand broad credentials.
Persistence & Privilege
always is false and the skill does not attempt to modify other skills or system-wide agent settings. It writes temporary files to the specified output dir only and has an optional cleanup flag.
Scan Findings in Context
[pre-scan-injection-none] expected: No static injection signals were detected. That is consistent with the skill being primarily a script-driven pipeline rather than containing obvious obfuscated payloads.
What to consider before installing
This skill appears to implement the stated Douyin→audio→local-ASR pipeline, but there are several things to check before installing or running it: 1) The Node script uses a non-standard import path (/tmp/puppeteer_test/node_modules/puppeteer-core) and expects Chrome at /usr/bin/google-chrome; verify these paths or adjust the script to use your system's Node/pupeteer and Chrome. 2) The script navigates to an external parser site (hellotik.app) and intercepts network traffic to find CDN URLs — this is necessary for the task but means the code loads third-party web content during execution. 3) feishu_upload.py references FEISHU_APP_TOKEN and FEISHU_TOKEN (environment variables) in a placeholder; the SKILL metadata does not declare these. If you plan to use Feishu upload, confirm what credentials are actually required and do not expose broad tokens to untrusted code. 4) The skill instructs installing a global npm ASR CLI and downloading a model from GitHub — these network downloads and global installs should be performed in a controlled environment (container or VM) if you are concerned about supply-chain or permission issues. 5) The Node launch uses Chrome flags like --no-sandbox; running headless Chrome without a sandbox has security implications — prefer running in a sandboxed container. If these oddities (hardcoded paths, undeclared env vars, external site dependency) are acceptable and you review the scripts locally before running, the risk is moderate; otherwise treat the skill as untrusted and run it in isolation or decline to install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cw29scrnnrwvds667w4fkp583vph1
115downloads
0stars
2versions
Updated 4w ago
v1.0.1
MIT-0
@mengzi53
latest
Download

Douyin Video Transcribe Skill

全自动抖音视频下载 + 语音转文字管道。

功能

输入抖音链接 → 自动解析直链 → 下载视频 → 提取音频 → 本地语音转文字 → 输出文稿

依赖安装(首次需要)

# 1. 安装 coli(语音转文字引擎)
npm install -g @marswave/coli

# 2. 安装 sensevoice 模型(首次自动下载,约60MB,需代理访问GitHub)
# 模型下载后保存在 ~/.coli/models/

# 3. ffmpeg(音频处理,系统已有)

# 4. Node.js(用于视频URL拦截脚本)

使用方法

基本用法(仅转写,不上传飞书)

python3 ~/.openclaw/skills/douyin-transcribe/scripts/transcribe.py \
  --url "https://v.douyin.com/xxxxx"

指定输出目录

python3 ~/.openclaw/skills/douyin-transcribe/scripts/transcribe.py \
  --url "https://v.douyin.com/xxxxx" \
  --output-dir /tmp/my_videos

完整用法(转写 + 上传飞书)

python3 ~/.openclaw/skills/douyin-transcribe/scripts/transcribe.py \
  --url "https://v.douyin.com/xxxxx" \
  --folder-token 飞书云盘文件夹token \
  --space-id 飞书知识库space_id

参数说明

参数说明
--url, -u抖音视频链接(必填)
--output-dir, -o临时文件目录,默认 /tmp
--folder-token, -f飞书云盘文件夹 token
--space-id, -s飞书知识库 space ID
--no-feishu跳过飞书上传统步
--cleanup完成后删除本地临时文件(视频+音频)

输出

  • 终端打印完整转录文本
  • 本地保存 transcript.txt--output-dir
  • 视频/音频本地文件在 --output-dir(除非指定 --cleanup

技术流程

抖音链接
  └─→ Node.js (puppeteer-core + Chrome)
  │     └─→ 打开 hellotik.app
  │     └─→ 填入链接,点击解析
  │     └─→ 拦截网络请求,获取CDN直链
  └─→ curl 下载视频(直链)
  └─→ ffmpeg 提取音频(WAV 16kHz单声道)
  └─→ coli asr --model sensevoice(本地ASR,约1-3分钟)
  └─→ 输出转录文本 + 可选飞书上传统步

模型说明

  • sensevoice:阿里开源多语言ASR,支持中文/英文/日语/韩语/粤语,约60MB
  • 本地运行,无需API Key,完全离线
  • Intel Celeron J1900 上处理 1分钟音频约需 1-2 分钟

飞书上传说明

如需上传到飞书,需要在调用时传入 --folder-token--space-id

当前已配置:

  • 视频素材库 folder_token: RCIDfArx5lgZTIdO1SAcDU37n0e
  • 视频文案库 space_id: 7622229283829763274

常见问题

Q: 提示"无法获取视频直链"
A: CDN链接有时效(几分钟),多试几次即可。或 hellotik 解析失败,稍后重试。

Q: 转写时间太长
A: sensevoice 模型较大,处理速度依赖CPU。可改用 whisper-tiny 模型(更快但仅英文)。

Q: 视频很短/没有声音
A: 部分抖音视频是纯音乐或图片,语音转写会失败或输出很短。

Comments

Loading comments...