Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Douyin downloader + transcription) align with the code: it parses Douyin links, downloads videos, extracts audio, and posts audio to a transcription API. Minor mismatch: the registry metadata lists no required environment variables, but SKILL.md and the code expect an API key (DOUYIN_API_KEY or API_KEY) for transcription.
Instruction Scope
SKILL.md instructs running the included Node script and the code follows that. The code performs network requests to douyin.com (to resolve video info) and to https://api.siliconflow.cn/v1/audio/transcriptions to upload audio for transcription — this is expected for the stated feature but is important to note because it sends user audio to a third party. The SKILL.md examples reference an absolute skill workspace path; otherwise the instructions do not request unrelated system data.
Install Mechanism
This is an instruction-only skill with no install spec; nothing is downloaded or extracted by an installer, which is the lowest-risk install model.
Credentials
The skill requires an API key for transcription (DOUYIN_API_KEY or API_KEY) according to SKILL.md and the code, but the registry metadata reports no required environment variables or primary credential — that inconsistency is concerning because users may not realize they must provide a key. Otherwise, no unrelated credentials or high-privilege env vars are requested.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. It creates files in the specified output directories and invokes ffmpeg/ffprobe locally, which is appropriate for its purpose.
What to consider before installing
This skill appears to implement Douyin downloading and transcription, but check the following before installing:
- Be aware audio is uploaded to https://api.siliconflow.cn for transcription. Do not use the skill on sensitive audio unless you trust that service and its privacy policy.
- SKILL.md and the code require an API key (DOUYIN_API_KEY or API_KEY) but the registry metadata does not declare it — expect to provide that secret manually. Limit the key's scope if possible.
- The code spawns both ffmpeg and ffprobe; ensure those binaries are available (ffprobe may be part of ffmpeg on some systems). The metadata only listed ffmpeg — consider this a small mismatch.
- The skill writes video/audio/transcript files to the output folder you choose; run it in a sandboxed or disposable workspace if unsure.
- The repository/homepage is listed (https://github.com/yzfly/douyin-mcp-server). If you plan to use it, review the full source there and the remainder of douyin.js (the provided file was truncated in the package) so you can confirm no unexpected behavior exists.
If you want higher assurance, ask the publisher to update the metadata to declare the required env vars and to provide a full audit of network endpoints and any additional code paths not visible in the truncated file.Like a lobster shell, security has layers — review code before you run it.
latestvk976k0n1tjzz2694xnt8ws5h9581nv44
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎵 Clawdis
Binsffmpeg