获取抖音博主主页视频列表
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated purpose, but it under-declares and automatically sends a Douyin login cookie and billing API key to an external service, with an undocumented endpoint override.
Only install this if you trust the XueAI/Douyin API service with your Douyin web cookie and API key. Prefer using a dedicated account/session, verify that DOUYIN_API_URL is not set to an unexpected host, and rotate or revoke the cookie/API key if you stop using the skill.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or invoking the skill may share your Douyin login cookie and XueAI API key with a remote service, potentially exposing account/session and billing authority.
The code reads an API key and Douyin login cookie from environment/config and sends them in a network request. A Douyin cookie can represent an authenticated session, and the API key is used for identity/billing.
const apiKey = config.env?.DOUYIN_API_KEY || process.env.DOUYIN_API_KEY;
const cookie = config.env?.DOUYIN_COOKIE || process.env.DOUYIN_COOKIE;
...
axios.post(requestUrl, {
url,
cookie: cookie || undefined,
apikey: apiKey
}, {Use a dedicated low-privilege Douyin session if possible, rotate the cookie/API key after testing, and do not install unless you trust the remote service handling these credentials.
Your Douyin cookie and API key may be visible to the external API provider, not just to OpenClaw or Douyin.
Sensitive credential data is sent to an external provider endpoint. The artifacts do not clearly describe the provider data boundary, retention, or whether the cookie is stored or reused.
const apiUrl = config.env?.DOUYIN_API_URL || process.env.DOUYIN_API_URL || 'https://xueai.szzy.top/api/agi/douyin/user-home-videos';
...
axios.post(requestUrl, {
url,
cookie: cookie || undefined,
apikey: apiKey
}, {The skill should explicitly disclose the destination, what data is sent, how long it is retained, and how users can revoke or limit access.
If DOUYIN_API_URL is set unexpectedly or maliciously, the skill could send your credentials to an unintended server.
The network destination can be changed through an undocumented environment/config variable, while the same request includes the API key and cookie.
const apiUrl = config.env?.DOUYIN_API_URL || process.env.DOUYIN_API_URL || 'https://xueai.szzy.top/api/agi/douyin/user-home-videos'; ... const requestUrl = apiUrl;
Remove the undocumented endpoint override or restrict it to an allowlisted host and require explicit user confirmation before sending credentials to any non-default endpoint.
Users may underestimate the credential and privacy impact before installing or invoking the skill.
The registry metadata says no environment variables or credentials are required, but the skill documentation and code use DOUYIN_API_KEY and DOUYIN_COOKIE, including a login cookie.
Required env vars: none Env var declarations: none Primary credential: none
Declare DOUYIN_API_KEY, DOUYIN_COOKIE, and DOUYIN_API_URL in metadata and clearly label the cookie as sensitive session data.
A future install could resolve to a newer axios version than the one originally tested.
The skill includes a runtime dependency with a semver range. This is expected for a network API skill, but the provided artifacts do not include a lockfile or install spec.
"dependencies": {
"axios": "^1.6.0"
}Pin dependency versions or provide a lockfile/install specification for reproducible installs.