ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

douyin-research-kit

v1.0.0

Extract and analyze Douyin (抖音) content using yt-dlp. Supports video metadata, caption extraction, user profile analysis, music/sound info, and engagement st...

0· 65·0 current·0 all-time
by江辰@xuya227939
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description match the runtime instructions: all examples use yt-dlp to extract Douyin video/profile/music/hashtag/live data. Requiring yt-dlp and browser cookies is consistent with the stated purpose (scraping/scraping-stable access to Douyin). There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope
SKILL.md stays on-topic: it prescribes yt-dlp commands (--dump-json, --list-subs, etc.), parsing JSON, cleaning subtitles, and producing tables. One notable behavior: it repeatedly instructs use of --cookies-from-browser chrome (i.e., reading browser cookies) and writes temporary subtitle files (e.g., /tmp). Reading browser cookies is sensitive (session tokens) but is functionally justified for Douyin access. The instructions do not direct the agent to read other unrelated files, environment variables, or to transmit data to unexpected external endpoints.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code. It recommends installing yt-dlp via brew or pip, which is appropriate and low-risk. The skill itself does not download or execute external archives or binaries.
Credentials
The skill declares no required environment variables or credentials. However, its recommended workflow implicitly requires access to browser cookies (via yt-dlp) and possibly a China IP/proxy for access; these are sensitive but proportionate to the task. Users should be aware that browser cookies contain session tokens and should avoid exposing them to untrusted processes or people.
Persistence & Privilege
The skill does not request persistent presence (always=false), does not modify other skills, and contains no install hooks. It is user-invocable and can be run by the agent, but there is no special privilege escalation or persistent background access.
Assessment
This skill is instruction-only and appears coherent for Douyin research, but be cautious before running the suggested commands: 1) yt-dlp's --cookies-from-browser reads browser cookies (session tokens). Do not share or expose cookies from your primary browser; consider using a disposable browser profile or manually exporting only the needed cookies. 2) Install yt-dlp from official sources (pip or the project's releases) to avoid malicious builds. 3) The skill writes temporary files (e.g., /tmp/*.srt); inspect any downloaded subtitle or JSON files before sharing. 4) Respect Douyin's terms of service and copyright law when extracting content. 5) If you need to download videos, the skill intentionally avoids providing download steps — follow your organization's policy for downloads, or use trusted tools. If you want higher assurance, ask the author for a code repository or signed release so you can verify the exact code being run.

Like a lobster shell, security has layers — review code before you run it.

latestvk972pkcdxvd1gwq0m4hw03gktn83g8fv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments