中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 10/100
上次扫描:1 天前 重新扫描
10 /100
douyin-video-analyzer
抖音视频深度拆解分析器 - Analyzes Douyin videos by extracting frames and audio for AI-powered visual and speech analysis
This is a legitimate video analysis tool that downloads Douyin videos, extracts frames/audio using standard CLI tools, and sends them to Zhipu AI for visual/speech analysis. All declared capabilities align with actual functionality.
技能名称douyin-video-analyzer
分析耗时51.7s
引擎pi
可以安装
Skill is safe to use. Ensure ZHIPU_API_KEY is properly secured and not logged in CI environments.

安全发现 1 项

严重性 安全发现 位置
低危
Pre-scan IOC: Hardcoded IP address 文档欺骗
Pre-scan flagged a hardcoded IP address (120.0.0.0) at lib/scraper.js:11. This IP is not present in the current code, suggesting it may have been sanitized or is a false positive from the pre-scan tool. The IP 120.0.0.0 is also not a valid routable address.
const parsedUrl = new URL(url);
→ No action required - likely false positive. Monitor if future versions introduce suspicious network endpoints.
 lib/scraper.js:11
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 scripts/analyze.js:57 - fs.mkdirSync for temp dirs
网络访问 READ READ ✓ 一致 lib/scraper.js, lib/ai-analyzer.js - HTTPS requests to Douyin + Zhipu AI
命令执行 WRITE WRITE ✓ 一致 lib/frame-extractor.js:88, lib/video-downloader.js:67 - exec ffmpeg/yt-dlp
环境变量 READ READ ✓ 一致 scripts/analyze.js:20 - reads ZHIPU_API_KEY
技能调用 NONE NONE No inter-skill invocation found
1 高危 9 项发现
📡
高危 IP 地址 硬编码 IP 地址
120.0.0.0
lib/scraper.js:11
🔗
中危 外部 URL 外部 URL
https://v.douyin.com/xxxxx
PRD.md:72
🔗
中危 外部 URL 外部 URL
https://v.douyin.com/xxxxxx/
SKILL.md:44
🔗
中危 外部 URL 外部 URL
https://ffmpeg.org/download.html
lib/frame-extractor.js:59
🔗
中危 外部 URL 外部 URL
https://v.douyin.com/6biejtHeP30/
lib/playwright-scraper.js:98
🔗
中危 外部 URL 外部 URL
https://www.douyin.com/
lib/scraper.js:38
🔗
中危 外部 URL 外部 URL
https://www.douyin.com/video/$
lib/scraper.js:151
🔗
中危 外部 URL 外部 URL
https://open.bigmodel.cn/api/paas/v4/chat/completions
openspec/changes/phase2-video-analysis/design/architecture.md:117
🔗
中危 外部 URL 外部 URL
https://dotenvx.com
package-lock.json:209

目录结构

18 文件 · 78.6 KB · 2482 行
JavaScript 9f · 1319L JSON 3f · 695L Markdown 6f · 468L
├─ 📁 lib
│ ├─ 📜 ai-analyzer.js JavaScript 161L · 5.0 KB
│ ├─ 📜 audio-processor.js JavaScript 115L · 3.4 KB
│ ├─ 📜 frame-extractor.js JavaScript 152L · 4.1 KB
│ ├─ 📜 playwright-scraper.js JavaScript 105L · 3.8 KB
│ ├─ 📜 scraper.js JavaScript 194L · 5.4 KB
│ ├─ 📜 url-resolver.js JavaScript 147L · 3.5 KB
│ ├─ 📜 utils.js JavaScript 93L · 2.3 KB
│ └─ 📜 video-downloader.js JavaScript 209L · 6.2 KB
├─ 📁 openspec
│ └─ 📁 changes
│ └─ 📁 phase2-video-analysis
│ ├─ 📁 design
│ │ └─ 📝 architecture.md Markdown 178L · 5.7 KB
│ ├─ 📁 specs
│ │ └─ 📝 requirements.md Markdown 46L · 1.7 KB
│ ├─ 📁 tasks
│ │ └─ 📝 implementation.md Markdown 64L · 2.3 KB
│ └─ 📝 proposal.md Markdown 22L · 738 B
├─ 📁 scripts
│ └─ 📜 analyze.js JavaScript 143L · 5.7 KB
├─ 📋 _meta.json JSON 22L · 717 B
├─ 📋 package-lock.json JSON 635L · 22.2 KB
├─ 📋 package.json JSON 38L · 986 B
├─ 📝 PRD.md Markdown 103L · 3.2 KB
└─ 📝 SKILL.md Markdown 55L · 1.8 KB

依赖分析 4 项

包名版本来源已知漏洞备注
axios ^1.6.0 npm Version range not pinned
cheerio ^1.0.0-rc.12 npm Pre-release version with caret range
dotenv ^16.3.1 npm Standard practice for env loading
playwright-chromium ^1.40.0 npm Major version pinned

安全亮点

✓ All shell commands (ffmpeg, yt-dlp, ffprobe) are legitimate video processing tools clearly required for the stated purpose
✓ Network communication limited to declared endpoints: Douyin.com and open.bigmodel.cn (Zhipu AI)
✓ No credential harvesting beyond the expected ZHIPU_API_KEY usage for API authentication
✓ No base64-encoded payloads or obfuscated execution detected
✓ No unauthorized access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ Temporary files are properly cleaned up after processing
✓ Documentation clearly states data transmission to external AI service
✓ API key only used for Zhipu AI authentication, not exfiltrated