Back to skill
Skillv1.0.0
ClawScan security
douyin-hot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 26, 2026, 5:33 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements align: it’s a simple Node script that calls Douyin's public endpoint, processes results, and saves them to the workspace; it does not request credentials or perform unrelated actions.
- Guidance
- This skill appears coherent and straightforward: it needs Node.js and network access, calls Douyin's public endpoint, formats results, and writes douyin-hot-clean.json into your workspace. Before installing: (1) confirm you trust the skill source and are comfortable allowing network access; (2) ensure writing to the workspace/scripts path is acceptable (it will create that directory if missing); (3) be aware the endpoint may change or require login for some items—errors will cause the script to exit; (4) check Douyin's terms of service and rate limits if you plan frequent automated queries. The code is short and readable; review douyin-hot.js yourself if you want to verify behavior.
Review Dimensions
- Purpose & Capability
- okName/description promise (抓取抖音热搜 Top 50) matches the implementation: the JS file issues an HTTPS GET to douyin.com/aweme/v1/web/hot/search/list/, formats and sorts results, and outputs a Top 50 list.
- Instruction Scope
- okSKILL.md describes direct API calls, formatting, and saving output to workspace/scripts/douyin-hot-clean.json; douyin-hot.js performs exactly those actions and does not read unrelated files, credentials, or external endpoints.
- Install Mechanism
- okNo install spec; instruction-only plus a small Node.js script. The only runtime requirement is Node.js 18+ (declared). There are no downloads, package installs, or archive extraction.
- Credentials
- okThe skill requests no secrets or credentials. It optionally reads WORKSPACE to locate the output directory (reasonable for controlling where results are written). No other environment variables or config paths are accessed.
- Persistence & Privilege
- okalways is false and the skill does not alter other skills or system-wide settings. It writes output to a workspace/scripts JSON file (expected behavior for a scraper).