douyin-to-text
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: douyin-to-text Version: 1.0.0 The skill utilizes `npx` to execute an external npm package (`dytext-cli`) and transmits data, including API keys and URLs, to a third-party service (`api.dytext.cn`). While these actions are clearly documented in `SKILL.md` and `README.md` as necessary for Douyin transcription, the reliance on remote code execution and external data exfiltration represents a significant attack surface and inherent risk, fitting the criteria for suspicious behavior despite the lack of clear malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may download or run code from the dytext-cli npm package, so behavior ultimately depends on that external package.
The skill delegates execution to an external npm package through npx; this is central to the skill's purpose, but the package code is not included in the provided artifacts.
exec npx dytext-cli "$@"
Use only if you trust the dytext-cli npm package and its publisher; consider pinning or reviewing the package source before use.
Someone with access to the saved API key could potentially use the dytext account or consume its credits.
The skill stores a service API key locally, which is expected for this service but is still a credential that can affect account balance/history if exposed.
API Key 自动保存到 `~/.dycaption`,无需手动配置。
Treat the dytext API key as a secret, protect the ~/.dycaption file, and revoke or rotate the key if you no longer trust the environment.
Douyin links and account-related API information are shared with a third-party service during use.
The skill explicitly discloses that Douyin share links and the API key are sent to the dytext.cn backend for transcription.
将抖音分享链接和 API Key 发送到服务端进行语音转文字处理。
Only submit links you are comfortable sending to dytext.cn, and review the provider's privacy/security practices if the content is sensitive.