Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
下载电影/电视剧/综艺的剧照/海报
v1.0.1批量下载豆瓣电影/电视剧/综艺的剧照和海报。输入片名自动搜索下载,完全自动化,不需要登录。支持缓存去重、反爬延迟。当用户提到"下载剧照"、"获取海报"、"批量下载图片"时使用。
⭐ 0· 85·0 current·0 all-time
byz_j@zj-john
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation: Node.js scripts that search Douban, extract photo IDs (optionally with Playwright), and download images while handling Referer and redirects. Required binaries (node, npm) and the playwright dependency are coherent with the stated scraping/downloading functionality.
Instruction Scope
SKILL.md and the JS files instruct the agent to run the included Node scripts and save files under the user's home directory. The code only accesses network resources (Douban and image hosts) and local filesystem directories under the user's home. Minor inconsistency: SKILL.md claims 'does not connect to existing browser sessions for privacy', while some comments and examples in code mention inheriting or connecting to an existing browser session or remote-debugging; actual Playwright functions in the code launch a new headless browser. This is a documentation/code mismatch but not an obvious malicious behavior.
Install Mechanism
Install uses the well-known npm package 'playwright' (expected for headless browser scraping). Playwright will typically download browser binaries during install which increases disk usage and performs network downloads — expected for this use-case but worth noting as extra installation footprint.
Credentials
The skill requests no environment variables or credentials and does not access configs outside its download directory. It only uses the network to contact Douban and image host domains, which is proportional to its stated purpose.
Persistence & Privilege
always:false and no special privileges requested. The skill writes files only under the user's home (.openclaw/output/photo-download or ~/download/photos) and does not attempt to modify other skills or system-wide settings.
Assessment
This skill appears to do what it says: scrape Douban pages and download images. Before installing, consider: 1) Legal/ToS: scraping may violate Douban's terms — only use for small-scale/personal use as the README warns. 2) Playwright side-effects: installing playwright will download browser binaries and use additional disk space and network traffic. 3) Filesystem: downloaded images are saved under your home directory (~/.openclaw/output/photo-download or ~/download/photos). 4) Privacy: the code launches a headless browser and makes network requests to Douban/image hosts; do not run it with elevated privileges. 5) Minor docs mismatch: SKILL.md claims it won't connect to existing browser sessions but comments/examples mention inheriting sessions or remote debugging — if you need to preserve browser state, review/modify the code intentionally. If you have concerns, run the code in a controlled environment (container/VM) or review the scripts line-by-line before use.auto-download.js:165
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk979h6mzmdgcg6s9fhjg24jewd83mxyp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode, npm
Install
Install Playwright for Node.js
npm i -g playwright