抖音下载器-douyin_downloader

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill appears to match its stated Douyin video-download purpose, but users should notice that it uses a third-party TikHub API token and downloads files locally.

Before installing, make sure you are comfortable registering with TikHub, storing a TikHub API token in ~/.openclaw/config.json, and sending Douyin links or modal_id values to TikHub for resolution. The provided code is consistent with a downloader and does not show hidden background behavior or token logging.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

No VirusTotal findings for this skill version.

Malicious: 0
Suspicious: 0
Harmless: 0
Undetected: 64

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse

Low

What this means

A TikHub token stored in the OpenClaw config could be used for API access, quota, or billing tied to that TikHub account.

Why it was flagged

The script reads a local TikHub API token and sends it as a bearer token to the TikHub API. This is expected for the stated integration, but it is credential use that users should recognize.

Skill content

config_path = os.path.expanduser("~/.openclaw/config.json") ... token = config.get("tikhub_api_token") ... "Authorization": f"Bearer {token}"

Recommendation

Use a dedicated, revocable TikHub token and avoid storing unrelated secrets in the same config file.

#ASI02: Tool Misuse and Exploitation

Low

What this means

Using the download path will create or overwrite a generated MP4 file in the current working directory.

Why it was flagged

The script performs network downloads and writes video content to a local MP4 file. This is central to the skill's purpose, but it is still local file-writing behavior.

Skill content

resp = requests.get(url, headers=headers, timeout=60) ... with open(output_path, "wb") as f: f.write(resp.content)

Recommendation

Run it only for videos you intend to download and check the saved file name/location after completion.

#ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

Users have less external information for verifying the publisher or upstream project.

Why it was flagged

The registry metadata does not provide an upstream source or homepage. The included artifacts are small and coherent, but provenance is limited.

Skill content

Source: unknown; Homepage: none

Recommendation

Review the included script before use and install only if you trust this registry package and owner.