Douyin Upload Skill
WarnAudited by ClawScan on May 18, 2026.
Overview
The skill mostly matches its Douyin upload purpose, but it under-declares credential use and its default transcription path can upload video audio to a cloud ASR provider despite local/privacy claims.
Install only if you are comfortable granting Douyin publishing access and handling local video/audio data. If privacy matters, set ASR mode to local Whisper, verify the ASR URL, keep auto-confirm disabled, and periodically clear transcript/outbox files.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe video audio stays local when the default transcription path can send extracted audio to a cloud provider.
The README makes a strong privacy/local-only claim while also saying third-party API ASR is the default; the code confirms audio can be sent to an ASR API.
“全程不需要将视频原声上传给任何云端 ASR 服务,绝对保护隐私!” ... “ASR 三模式:支持 `第三方服务 API`(默认)”
Clarify the README/SKILL.md wording, make local Whisper the default if privacy is promised, and require explicit user acknowledgement before cloud ASR upload.
Private speech from local videos may leave the machine for transcription unless the user switches to a local Whisper mode.
The selected video's extracted audio is sent to a configurable ASR API endpoint with an API key; constants set API ASR as the default mode and OpenAI as the default URL.
form.append("file", new File([fileBuffer], fileName, { type: "audio/wav" })); ... response = await fetch(apiUrl, { method: "POST", headers: { Authorization: `Bearer ${apiKey}` }, body: form, ... })Before use, verify DOUYIN_ASR_MODE and DOUYIN_ASR_API_URL; use whisper-cpu/whisper-gpu for local-only transcription.
Users and installers may not receive a clear permission warning that the skill uses account credentials and can publish through a Douyin account.
This is materially incomplete because SKILL.md requires DOUYIN_CLIENT_KEY, DOUYIN_CLIENT_SECRET, and DOUYIN_REDIRECT_URI before auth/publish, and the code stores OAuth tokens for later publishing.
Required env vars: none; Env var declarations: none; Primary credential: none
Declare required credentials, OAuth scopes, token storage, and publishing authority in metadata/capability signals.
If used with the wrong caption, visibility, or auto-confirm settings, it could post unintended public content.
Publishing public Douyin videos is the skill's purpose and the documented example keeps confirmation off by default, but it remains a high-impact account action.
`publish`: uploads and creates video via official API ... `--private-status 0` ... `--auto-confirm false`
Review the final caption and visibility every time, and leave auto-confirm disabled unless running a deliberately controlled automation pipeline.
The skill will invoke local programs as part of normal operation.
The skill runs a local command to open the OAuth URL; related media processing also relies on local ffmpeg/ffprobe/whisper binaries.
const proc = spawn("xdg-open", [url], { detached: true, stdio: "ignore" });Use trusted system binaries and review configured binary paths before running.
A compromised or changed upstream dependency/model could affect local transcription behavior.
The setup instructions download external source/model artifacts without pinning a commit or checksum; this is user-directed and purpose-aligned for local ASR.
git clone https://github.com/ggerganov/whisper.cpp.git ... curl -L https://huggingface.co/ggerganov/whisper.cpp/resolve/main/ggml-small.bin
Pin commits or checksums for external tools/models if using this in a sensitive or repeatable environment.
Transcripts, captions, and source-path metadata may remain on disk after publishing or fallback export.
The skill stores transcript cache and fallback outbox data locally for reuse; this is bounded to selected videos but can retain sensitive captions/transcripts.
const DEFAULT_TRANSCRIPT_CACHE_DIR = path.join(CACHE_DIR, "transcripts"); ... const DEFAULT_OUTBOX_DIR = path.join(DATA_DIR, "outbox");
Clear cache/outbox directories when finished and set custom directories if you need stricter retention controls.