ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Multi-Platform Video Downloader

v1.0.0

Universal video downloader supporting multiple platforms (Douyin, Bilibili, YouTube, TikTok, etc.). Can download videos by URL or search by keyword (Douyin s...

0· 183·0 current·0 all-time
by@wwkgit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, SKILL.md, and the Python script all consistently implement a multi-platform video downloader using yt-dlp and DrissionPage. There are no unrelated environment variables, binaries, or config paths requested.
Instruction Scope
SKILL.md only instructs building a Docker image or installing Python deps and running the script. The runtime instructions and code perform network requests, spawn yt-dlp subprocesses, and use browser automation to fetch pages and video URLs. That behavior is expected for this purpose, but browser automation will execute arbitrary JavaScript on visited pages and can access resources reachable from the host (including local network endpoints or any authenticated browser session/cookies), so users should avoid passing sensitive internal URLs or credentials.
Install Mechanism
No packaged install spec; the README recommends pip installs (yt-dlp, DrissionPage). Installing from PyPI is typical but carries the usual supply-chain risk. DrissionPage will auto-download a Chrome/Chromium binary at runtime (as noted in docs), which pulls a large executable from the network — expected for browser automation but worth noting.
Credentials
The skill requests no environment variables or credentials. The code writes downloaded media and metadata to disk in the chosen output directory; it does not require unrelated secrets or system credentials.
Persistence & Privilege
Skill is not always-enabled and does not request elevated or persistent platform privileges. It does not modify other skills' configs. Its persistence is limited to writing downloaded files and metadata in the output directory.
Assessment
This skill appears to do what it says: download videos using yt-dlp or browser automation. Before installing and running it: (1) prefer running inside a container (Docker) or isolated environment to limit filesystem/network access; (2) be aware DrissionPage will auto-download a Chromium binary and will run a real browser session — don't use browser mode with URLs that require sensitive cookies, or from inside networks you don't want probed; (3) pip installs from PyPI are normal but carry supply-chain risk—inspect sources if you require high assurance; (4) review the full script yourself (or run in a disposable VM) if you plan to run it on a machine with access to sensitive networks or credentials. If you provide the rest of the truncated script for review, I can raise confidence or surface further issues.

Like a lobster shell, security has layers — review code before you run it.

latestvk979fmmdzfba20jza61pf7sy2982yphj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments