Tdl Download Notify

v1.0.0

TDL 下载完成后自动通过 Server 酱微信通知，包含文件名和大小信息

⭐ 0· 60·1 current·1 all-time

byWade@tang2606

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

high confidence

Purpose & Capability

The skill's stated purpose is to download Telegram content with tdl and notify via Server 酱 — the code implements exactly that. However the registry metadata lists no requirements while SKILL.md metadata declares python 'requests' and a 'tdl' binary; this mismatch suggests the package metadata is incomplete. More importantly, the script embeds a Server 酱 SendKey (sctp6765t...aman) rather than requiring the user to provide credentials, which is not proportionate to a downloader/notify helper and is unexpected for a third‑party integration.

Instruction Scope

Runtime instructions and the included script run the tdl binary, list and compare contents of a download directory, build file lists (names, sizes, modified times) and POST that information to the Server 酱 API using the embedded SendKey. Sending file metadata (file names, sizes, timestamps, directory path) to an external endpoint is effectively data exfiltration of metadata — acceptable only if the key belongs to the installer. SKILL.md also references local paths (/root/openclaw/...), but the script does not read those files; this discrepancy reduces clarity about where configuration should live.

✓

Install Mechanism

No install spec is present (instruction-only plus a single script). That keeps disk writes limited to the included script and the tdl binary invocation; from an installation perspective this is low risk. Nothing is being downloaded/installed from arbitrary URLs by the skill.

Credentials

No required environment variables or primary credential are declared, yet the script hardcodes a Server 酱 SendKey. Best practice would be to require a SENDKEY env var (or other explicit configuration). The skill also assumes a default download directory (/root/tdl_download), which implies root paths and could cause permission/visibility issues. The number and nature of implicit credentials (embedded key) is disproportionate and undocumented in registry metadata.

✓

Persistence & Privilege

always is false and the skill does not attempt to modify other skills or global agent settings. It will execute autonomously if the agent is allowed to invoke skills (the platform default), which is expected for this kind of helper.

What to consider before installing

This skill's behavior is coherent with its stated purpose (running tdl and notifying via Server 酱), but there are several red flags you should address before installing or using it: - Hard-coded SendKey: The script contains an embedded Server 酱 SendKey and will send file names, sizes, timestamps and the download directory to sctapi.ftqq.com using that key. If you do not control that SendKey, your download metadata will be sent to someone else. Ask the author to remove the embedded key and accept a SENDKEY via environment variable or configuration file. - Metadata mismatch: The registry metadata does not declare required binaries or libraries, while SKILL.md says the script needs 'tdl' and the 'requests' Python package. Ensure tdl is installed and requests is available before running. - Default paths and privileges: The default output_dir is /root/tdl_download. Consider changing this to a user-writable path and verify the agent will not gain access to unintended files. - Data sent to third party: The notifications include file metadata. Confirm that you (or your organization) are comfortable with that metadata leaving your host and going to the Server 酱 account associated with the key. Recommended actions before installing: 1) Replace the hard-coded SENDKEY with a required environment variable (and update registry metadata to declare it). 2) Confirm/own the SendKey (or provide your own) so notifications go to an account you control. 3) Update registry metadata to declare dependencies (tdl, requests) and the expected configuration paths. 4) Run the script in a sandbox or test environment first to confirm outputs and that only expected data is transmitted. 5) If you cannot verify/control the SendKey, do not install or run this skill — it would leak download metadata to a third party. Given these issues (especially the embedded credential and metadata inconsistencies) I rate the package as suspicious rather than clearly benign; fixing the points above would move it toward benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f6dywphs0rmsp3qgpn6pvgh84d802

60downloads

0stars

1versions

Updated 1w ago

v1.0.0

MIT-0

TDL 下载 + Server 酱通知

下载 Telegram 资源后自动通过 Server 酱发送微信通知，包含详细的文件信息。

配置

前置条件

TDL 已安装并登录
```
tdl --version
tdl login
```
Server 酱已配置
- SendKey: sctp6765tcomfljakjcquc4e7mdaman
- 微信已关注 Server 酱公众号

默认下载目录

/root/tdl_download

可通过参数自定义。

使用方法

方式 1：命令行调用

# 基本用法
python3 /root/openclaw/Data/OpenClaw/skills/tdl-download-notify/tdl_download_notify.py <chat_id> <message_id>

# 指定下载目录
python3 .../tdl_download_notify.py 1340124720 126326 /root/downloads

# 示例：下载 Telegram 频道的某个消息
python3 tdl_download_notify.py 1340124720 126326

方式 2：在 OpenClaw 中使用

直接告诉我：

"下载这个 Telegram 链接并通知我：https://t.me/c/1340124720/126326"

我会自动执行下载并发送微信通知。

通知内容

✅ 下载成功

✅ 下载完成

📥 来源：https://t.me/c/1340124720/126326
📁 目录：/root/tdl_download
📊 数量：2 个文件
💾 总大小：1.23 GB

文件列表:

📄 视频文件.mp4
   大小：800.50 MB
   时间：2026-03-18 00:15:30

📄 图片.jpg
   大小：2.35 MB
   时间：2026-03-18 00:15:32

⏱️ 耗时：2 分 15 秒
🕐 完成时间：2026-03-18 00:15:32

❌ 下载失败

❌ 下载失败

📥 来源：https://t.me/c/1340124720/126326
❌ 错误：message not found

⏱️ 耗时：0 分 5 秒
🕐 失败时间：2026-03-18 00:15:32

参数说明

参数	类型	必填	说明
`chat_id`	string	✅	Telegram 聊天 ID
`message_id`	string	✅	Telegram 消息 ID
`output_dir`	string	❌	下载目录（默认：/root/tdl_download）

功能特性

✅ 自动通知 - 下载完成后自动发送微信
✅ 文件信息 - 包含文件名、大小、修改时间
✅ 多文件支持 - 自动检测所有新下载的文件
✅ 失败通知 - 下载失败也会通知
✅ 耗时统计 - 显示下载耗时
✅ 智能检测 - 自动对比下载前后的文件列表

Comments

Loading comments...