抖音下载器(Node.js)
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: douyin-downloader-nodejs Version: 1.0.0 The skill is designed for legitimate video downloading and transcription. However, it is classified as suspicious due to significant vulnerabilities. The `douyin.js` script uses `child_process.spawn` to execute `ffmpeg` and `ffprobe` with file paths constructed from user-controlled input (`outputDir` and derived `video_id`). This poses a shell injection risk if these inputs contain malicious metacharacters. Additionally, the `outputDir` is directly used in `path.join` for file writing, creating a path traversal vulnerability that could allow writing files to arbitrary locations on the filesystem. There is no evidence of intentional malicious behavior like data exfiltration or backdoors.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill will execute local media-processing binaries on downloaded media files.
The skill runs the local ffmpeg binary to extract audio from a downloaded video. This is expected for the stated transcription feature, but it is still local process execution.
const proc = spawn(ffmpegPath, args);
Install ffmpeg from a trusted source and run the skill only on videos you intend to process.
If you use the transcription feature, a local environment API key is used to authenticate with SiliconFlow.
The skill reads an API key from environment variables and sends it as a Bearer token to the transcription provider. This is disclosed and purpose-aligned, though the generic API_KEY fallback is broader than ideal.
apiKey = process.env.DOUYIN_API_KEY || process.env.API_KEY; ... 'Authorization': `Bearer ${apiKey}`Prefer setting a dedicated DOUYIN_API_KEY for this skill rather than relying on a generic API_KEY environment variable.
Audio from the downloaded video may be uploaded to SiliconFlow for transcription.
For transcription, the skill reads the extracted audio file and posts it to the SiliconFlow transcription API. This external provider flow is disclosed by the skill description.
const DEFAULT_API_BASE_URL = 'https://api.siliconflow.cn/v1/audio/transcriptions'; ... const audioBuffer = fs.readFileSync(audioPath);
Use the transcription command only for videos whose audio you are comfortable sending to that provider.