Douyin Search
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill generally searches Douyin as advertised, but it can reuse OpenClaw’s existing browser profile and cookies without clearly bounding or prompting for that higher-impact access.
Review this skill before installing if you have sensitive browser sessions in OpenClaw. Prefer using a dedicated Douyin-only `.browser-profile/`, remove or disable the OpenClaw profile fallback, and install Playwright/Chromium from trusted, pinned versions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Douyin login may remain usable by this skill after the initial login.
The skill intentionally persists browser cookies so Douyin login only has to happen once. This is purpose-aligned and disclosed, but users should understand it is stored account/session state.
This uses a persistent browser profile at `.browser-profile/` to maintain login state... The persistent browser profile stores cookies
Only log in if you are comfortable with the skill retaining a Douyin session, and delete `.browser-profile/` if you want to revoke that local session.
The search may run using an existing browser session without a clear per-use prompt, potentially tying searches to your account or exposing broader browser-session access to the skill.
The script falls back to the broader OpenClaw browser profile, which may contain existing cookies or sessions, instead of only using the skill-owned `.browser-profile/` documented in the main flow.
OPENCLAW_PROFILE = "/root/.openclaw/browser/openclaw/user-data" ... if os.path.exists(OPENCLAW_PROFILE): result2 = search_with_playwright(keyword, count, profile_dir=OPENCLAW_PROFILE)
Require explicit user approval before using the OpenClaw browser profile, or remove that fallback and restrict the skill to its own `.browser-profile/`.
Automated Douyin browsing could affect account trust or violate service rules, and disabling the browser sandbox can increase local impact if the browser is exploited.
The skill uses Playwright browser automation with flags that reduce Chromium sandboxing and automation detection. Browser automation is central to the stated purpose, but these flags increase operational and account-policy risk.
args=["--no-sandbox", "--disable-blink-features=AutomationControlled"]
Use the skill sparingly, comply with Douyin’s terms, and avoid `--no-sandbox` unless it is required by the execution environment.
Installation may download code and browser binaries whose versions are not fixed by the skill metadata.
The README requires manual installation of Playwright and Chromium, while the registry requirements only declare `python3` and no install spec. This is expected for a Playwright-based skill, but the dependency setup is under-declared and unpinned.
pip install playwright playwright install chromium
Pin dependency versions and declare Playwright/Chromium requirements in the skill metadata or install spec.