douyin-download
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Douyin download/transcription purpose, but its segmentation step can use a MiniMax API key and send transcript text to MiniMax even though the user-facing docs say it uses OpenClaw’s built-in LLM.
Review the MiniMax behavior before installing. If you only want download/transcription, use --no-segment or ensure MINIMAX_API_KEY is not present. Only process videos whose audio/transcript you are comfortable sending to the stated external providers, and ask the maintainer to document MiniMax and curl requirements clearly.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can run ffmpeg on local files and write derived audio/video outputs.
The skill runs a local ffmpeg process. This is purpose-aligned for video/audio processing, but it is still local binary execution.
const proc = spawn('ffmpeg', args);Use a trusted ffmpeg installation and keep downloads/output paths user-directed.
The skill may rely on curl being present even though the requirements do not make that clear.
The code invokes curl for API calls, while the listed required binary is only ffmpeg. This is an under-declared helper dependency, though it is purpose-aligned.
const proc = spawn('curl', [ '-X', 'POST', SILI_FLOW_BASE_URL, ... ])Declare curl as a required binary or replace it with the existing Node HTTPS implementation.
Audio extracted from the selected Douyin video is sent to SiliconFlow for transcription.
The audio file is uploaded to SiliconFlow for transcription. SKILL.md discloses SILI_FLOW_API_KEY for speech-to-text, so this is expected for the feature.
const SILI_FLOW_BASE_URL = 'https://api.siliconflow.cn/v1/audio/transcriptions'; ... '-F', `file=@${audioPath}`Use this only for videos you are comfortable sending to the transcription provider.
If segmentation runs with a MiniMax key available, transcript text may be shared with MiniMax without the user-facing docs making that clear.
The code sends transcript text to MiniMax for segmentation, while SKILL.md describes this as using OpenClaw's built-in LLM. That makes the external data boundary unclear.
const MINIMAX_BASE_URL = 'https://api.minimaxi.com'; ... { role: "user", content: text }Clearly document MiniMax as the segmentation provider, ask for user consent, or use the promised OpenClaw built-in LLM path.
A MiniMax credential present in the environment could be used for this skill even though users may not expect that from the metadata/SKILL.md.
The script can use a MiniMax account credential, but the declared requirements mention SILI_FLOW_API_KEY and do not clearly declare MINIMAX_API_KEY.
apiKey = process.env.MINIMAX_API_KEY; ... '-H', `Authorization: Bearer ${apiKey}`Declare MINIMAX_API_KEY explicitly as optional or required, and explain exactly when it will be used.
Users may make privacy or credential decisions based on an inaccurate description of the LLM provider.
The user-facing documentation says segmentation uses OpenClaw's built-in LLM, but douyin.js defines a MiniMax endpoint and MINIMAX_API_KEY flow for that step.
自动调用 OpenClaw 内置 LLM 进行**自然语义分段**
Update the documentation to match the implementation, or change the implementation to use the documented OpenClaw built-in LLM.