critical
suspicious.dangerous_exec
- Location
- douyin.js:134
- Finding
- Shell command execution detected (child_process).
抖音下载器(Node.js)
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
The skill will execute local media-processing binaries on downloaded media files.
Why it was flagged
The skill runs the local ffmpeg binary to extract audio from a downloaded video. This is expected for the stated transcription feature, but it is still local process execution.
Skill content
const proc = spawn(ffmpegPath, args);
Recommendation
Install ffmpeg from a trusted source and run the skill only on videos you intend to process.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
If you use the transcription feature, a local environment API key is used to authenticate with SiliconFlow.
Why it was flagged
The skill reads an API key from environment variables and sends it as a Bearer token to the transcription provider. This is disclosed and purpose-aligned, though the generic API_KEY fallback is broader than ideal.
Skill content
apiKey = process.env.DOUYIN_API_KEY || process.env.API_KEY; ... 'Authorization': `Bearer ${apiKey}`Recommendation
Prefer setting a dedicated DOUYIN_API_KEY for this skill rather than relying on a generic API_KEY environment variable.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Audio from the downloaded video may be uploaded to SiliconFlow for transcription.
Why it was flagged
For transcription, the skill reads the extracted audio file and posts it to the SiliconFlow transcription API. This external provider flow is disclosed by the skill description.
Skill content
const DEFAULT_API_BASE_URL = 'https://api.siliconflow.cn/v1/audio/transcriptions'; ... const audioBuffer = fs.readFileSync(audioPath);
Recommendation
Use the transcription command only for videos whose audio you are comfortable sending to that provider.