v1.0.0

抖音自动发布

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:11 AM.

Analysis

The skill appears intended to automate Douyin posting, but it handles login sessions, can publish publicly without a shown final approval step, and sends platform credentials/metadata to an HTTP third-party service for point deduction.

GuidanceInstall only if you trust the publisher and the EasyClaw/Chanjing platform endpoint. Before use, confirm the exact Douyin account, video, title, tags, schedule, and point cost; protect the saved cookie files; and prefer HTTPS-configured platform credentials.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/publish.py

print("[6/6] 准备立即发布...") ... # 点击发布
                await self._publish(page)

The local browser automation proceeds from upload metadata entry to the publish action; no artifact shows a final user approval step before posting or scheduling content.

User impactIf invoked with a video, title, and cookie profile, the skill can publish or schedule content to the user's Douyin account rather than only preparing a draft.

RecommendationRequire explicit confirmation of the Douyin account, video, title, tags, schedule, and public-posting impact before running the publish step; consider a draft-only or manual-final-click mode.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

No install spec — this is an instruction-only skill. ... Required env vars: none ... Primary credential: none

The package metadata under-declares setup and credential needs compared with the README/code, which require Playwright/browser dependencies and platform API environment variables.

User impactUsers may not see required dependencies or credentials in the registry before install and may need to follow manual setup instructions.

RecommendationDeclare required environment variables and dependencies in metadata/install specs, and pin or document package versions where possible.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/platform_client.py

DEFAULT_PLATFORM_BASE_URL = "http://easyclaw.bar/shuzirenapi" ... headers = {"X-API-Token": platform_token} ... "X-API-Key": api_key, "X-API-Secret": api_secret

Platform API credentials are attached to requests whose default base URL is plain HTTP, exposing sensitive tokens/keys to an external service without transport protection by default.

User impactA platform token or key/secret could be intercepted or misused, potentially authorizing publishes or spending platform points tied to the user's account.

RecommendationUse HTTPS-only endpoints, declare the required credentials in metadata, scope and rotate tokens, and let users verify or override the platform base URL.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

README.md

Deduct the configured points from the current user.

The preferred workflow mutates a platform account balance before local publishing, while the registry-facing description focuses on Douyin uploading and does not surface the points/billing-like impact.

User impactRunning the publish workflow can consume platform points in addition to posting to Douyin.

RecommendationClearly disclose point costs in the registry metadata and require user confirmation before deduction, including failure/refund behavior.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

scripts/get_cookie.py

await context.storage_state(path=str(cookie_file))

The skill saves authenticated Douyin browser state to a local cookie file; this is expected for browser automation but is a reusable account session.

User impactAnyone or any local process with access to the cookie file may be able to act as the logged-in Douyin account.

RecommendationStore cookie files in a protected location, use separate named profiles for accounts, and delete or refresh cookies when they are no longer needed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

scripts/publish.py

"title": title,
        "video_file_name": Path(video_path).name,
        "cover_file_name": Path(cover_path).name if cover_path else None,
        "tags": tags,
        "schedule_time": schedule_time

The publish authorization payload sends content metadata such as title, filenames, tags, and schedule time to the external platform API; this is disclosed as part of the points flow but is still a data-sharing boundary.

User impactThe external platform can see metadata about the user's planned Douyin posts, even though the artifact does not show video-content upload to that platform.

RecommendationMake this data sharing explicit to users, avoid sensitive filenames or titles when possible, and use HTTPS for all platform communication.