Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
myskill
v1.0.0获取抖音热榜/热搜榜数据,包含热门视频、挑战赛、音乐等多领域热门内容,并输出标题、热度值、跳转链接及封面图(如有)。
⭐ 0· 45·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill scrapes Douyin hot lists and outputs titles, popularity, links and optional cover URLs — this matches the name/description. Minor metadata inconsistencies: package.json and SKILL.md assume the 'node' binary (scripts run with `node`), but the top-level registry metadata listed 'Required binaries: none'. The included cron/automation files hardcode a Telegram chat_id but do not include any Telegram token.
Instruction Scope
SKILL.md instructs running the local Node scripts (e.g., `node scripts/douyin.js hot`). The scripts make HTTPS requests only to douyin.com, parse JSON, print/save results and write local output files. They do not read arbitrary system files or environment variables, nor do they exfiltrate data to unexpected remote endpoints.
Install Mechanism
No install spec — instruction-only with bundled scripts. No network downloads or archive extraction during install. The only runtime dependency is Node.js (scripts assume it exists).
Credentials
The skill requests no environment variables or credentials. A Telegram chat_id is hardcoded in cron-job.js but no tokens or secrets are requested or stored. No disproportionate credential access is present.
Persistence & Privilege
always is false; the skill does not modify other skills or system configuration. It writes output files into its own directory (logs/JSON) which is reasonable for a scraper.
Assessment
This package appears to do what it says: local Node scripts fetch and format Douyin hot-trend data and save it to files. Before installing, ensure Node.js is available (the package expects `node`), and run the code in a sandbox or review it yourself. Note the registry metadata omitted the Node requirement — that's a minor inconsistency. The cron/cron-job file hardcodes a Telegram chat_id but no token; if you plan to enable automatic delivery to Telegram or other channels, implement secure credential handling (do not hardcode tokens) and limit permissions. Also be aware that scraping public web endpoints can trigger rate-limiting or anti-bot protections; use responsibly and respect terms of service. If you need higher assurance, ask the publisher for a canonical source/homepage or signed releases.cron-job.js:16
Shell command execution detected (child_process).
scripts/get-hot-trend.js:16
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk971xd9tpjv52dbgdw3m5yt6gs844skt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.