douyin-video-analyzer Security Report — Low Risk | ClawSafe

10 /100

douyin-video-analyzer

抖音视频深度拆解分析器 - Analyzes Douyin videos by extracting frames and audio for AI-powered visual and speech analysis

This is a legitimate video analysis tool that downloads Douyin videos, extracts frames/audio using standard CLI tools, and sends them to Zhipu AI for visual/speech analysis. All declared capabilities align with actual functionality.

Skill Namedouyin-video-analyzer

Duration51.7s

Enginepi

✓

Safe to install

Skill is safe to use. Ensure ZHIPU_API_KEY is properly secured and not logged in CI environments.

Findings 1 items

Severity	Finding	Location
Low	Pre-scan IOC: Hardcoded IP address Doc Mismatch Pre-scan flagged a hardcoded IP address (120.0.0.0) at lib/scraper.js:11. This IP is not present in the current code, suggesting it may have been sanitized or is a false positive from the pre-scan tool. The IP 120.0.0.0 is also not a valid routable address. `const parsedUrl = new URL(url);` → No action required - likely false positive. Monitor if future versions introduce suspicious network endpoints.	`lib/scraper.js:11`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	scripts/analyze.js:57 - fs.mkdirSync for temp dirs
Network	`READ`	`READ`	✓ Aligned	lib/scraper.js, lib/ai-analyzer.js - HTTPS requests to Douyin + Zhipu AI
Shell	`WRITE`	`WRITE`	✓ Aligned	lib/frame-extractor.js:88, lib/video-downloader.js:67 - exec ffmpeg/yt-dlp
Environment	`READ`	`READ`	✓ Aligned	scripts/analyze.js:20 - reads ZHIPU_API_KEY
Skill Invoke	`NONE`	`NONE`	—	No inter-skill invocation found

1 High 9 findings

📡

High IP Address 硬编码 IP 地址

120.0.0.0

lib/scraper.js:11

🔗

Medium External URL 外部 URL

https://v.douyin.com/xxxxx

PRD.md:72

🔗

Medium External URL 外部 URL

https://v.douyin.com/xxxxxx/

SKILL.md:44

🔗

Medium External URL 外部 URL

https://ffmpeg.org/download.html

lib/frame-extractor.js:59

🔗

Medium External URL 外部 URL

https://v.douyin.com/6biejtHeP30/

lib/playwright-scraper.js:98

🔗

Medium External URL 外部 URL

https://www.douyin.com/

lib/scraper.js:38

🔗

Medium External URL 外部 URL

https://www.douyin.com/video/$

lib/scraper.js:151

🔗

Medium External URL 外部 URL

https://open.bigmodel.cn/api/paas/v4/chat/completions

openspec/changes/phase2-video-analysis/design/architecture.md:117

🔗

Medium External URL 外部 URL

https://dotenvx.com

package-lock.json:209

File Tree

18 files · 78.6 KB · 2482 lines

JavaScript 9f · 1319L JSON 3f · 695L Markdown 6f · 468L

├─ ▾ 📁 lib

│ ├─ 📜 ai-analyzer.js JavaScript 161L · 5.0 KB

│ ├─ 📜 audio-processor.js JavaScript 115L · 3.4 KB

│ ├─ 📜 frame-extractor.js JavaScript 152L · 4.1 KB

│ ├─ 📜 playwright-scraper.js JavaScript 105L · 3.8 KB

│ ├─ 📜 scraper.js JavaScript 194L · 5.4 KB

│ ├─ 📜 url-resolver.js JavaScript 147L · 3.5 KB

│ ├─ 📜 utils.js JavaScript 93L · 2.3 KB

│ └─ 📜 video-downloader.js JavaScript 209L · 6.2 KB

├─ ▾ 📁 openspec

│ └─ ▾ 📁 changes

│ └─ ▾ 📁 phase2-video-analysis

│ ├─ ▾ 📁 design

│ │ └─ 📝 architecture.md Markdown 178L · 5.7 KB

│ ├─ ▾ 📁 specs

│ │ └─ 📝 requirements.md Markdown 46L · 1.7 KB

│ ├─ ▾ 📁 tasks

│ │ └─ 📝 implementation.md Markdown 64L · 2.3 KB

│ └─ 📝 proposal.md Markdown 22L · 738 B

├─ ▾ 📁 scripts

│ └─ 📜 analyze.js JavaScript 143L · 5.7 KB

├─ 📋 _meta.json JSON 22L · 717 B

├─ 📋 package-lock.json JSON 635L · 22.2 KB

├─ 📋 package.json JSON 38L · 986 B

├─ 📝 PRD.md Markdown 103L · 3.2 KB

└─ 📝 SKILL.md Markdown 55L · 1.8 KB

Dependencies 4 items

Package	Version	Source	Known Vulns	Notes
`axios`	`^1.6.0`	npm	No	Version range not pinned
`cheerio`	`^1.0.0-rc.12`	npm	No	Pre-release version with caret range
`dotenv`	`^16.3.1`	npm	No	Standard practice for env loading
`playwright-chromium`	`^1.40.0`	npm	No	Major version pinned

Security Positives

✓ All shell commands (ffmpeg, yt-dlp, ffprobe) are legitimate video processing tools clearly required for the stated purpose

✓ Network communication limited to declared endpoints: Douyin.com and open.bigmodel.cn (Zhipu AI)

✓ No credential harvesting beyond the expected ZHIPU_API_KEY usage for API authentication

✓ No base64-encoded payloads or obfuscated execution detected

✓ No unauthorized access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ Temporary files are properly cleaned up after processing

✓ Documentation clearly states data transmission to external AI service

✓ API key only used for Zhipu AI authentication, not exfiltrated

Scan Report

Findings 1 items

File Tree

Dependencies 4 items

Security Positives