douyin-to-text
PassAudited by ClawScan on May 7, 2026.
Overview
This skill appears to match its stated purpose, but it depends on an external npm CLI and sends/saves a dytext API key and Douyin links, so users should trust dytext.cn and dytext-cli before using it.
This skill is reasonable for its stated purpose if you trust dytext.cn and the dytext-cli npm package. Before installing, be aware that it may run external npm code, save an API key under ~/.dycaption, and send Douyin share links plus the API key to the dytext.cn service.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may download or run code from the dytext-cli npm package, so behavior ultimately depends on that external package.
The skill delegates execution to an external npm package through npx; this is central to the skill's purpose, but the package code is not included in the provided artifacts.
exec npx dytext-cli "$@"
Use only if you trust the dytext-cli npm package and its publisher; consider pinning or reviewing the package source before use.
Someone with access to the saved API key could potentially use the dytext account or consume its credits.
The skill stores a service API key locally, which is expected for this service but is still a credential that can affect account balance/history if exposed.
API Key 自动保存到 `~/.dycaption`,无需手动配置。
Treat the dytext API key as a secret, protect the ~/.dycaption file, and revoke or rotate the key if you no longer trust the environment.
Douyin links and account-related API information are shared with a third-party service during use.
The skill explicitly discloses that Douyin share links and the API key are sent to the dytext.cn backend for transcription.
将抖音分享链接和 API Key 发送到服务端进行语音转文字处理。
Only submit links you are comfortable sending to dytext.cn, and review the provider's privacy/security practices if the content is sensitive.