抖音视频无水印下载器 Security Report — Suspicious | ClawSafe

45 /100

抖音视频无水印下载器

Douyin video watermark-free downloader using undisclosed third-party proxy

Skill implements a Douyin video downloader with undocumented third-party proxy API and undeclared required permissions, lacking transparency about data handling despite plausible benign functionality.

Skill Name抖音视频无水印下载器

Duration45.3s

Enginepi

⚠

Use with caution

Declare required network and filesystem permissions in SKILL.md. Investigate the undocumented lvhomeproxy2.dpdns.org proxy service — either replace with documented API or disclose its role. Add allowedTools section specifying requests and file I/O usage.

Findings 3 items

Severity	Finding	Location
High	Undocumented third-party proxy API Doc Mismatch The script uses 'https://lvhomeproxy2.dpdns.org/api/hybrid/video_data' as a proxy for Douyin video解析. This service is not mentioned anywhere in SKILL.md. Users have no way to know their video links are being routed through an undisclosed third-party service that could log or retain request data. `base_url = "https://lvhomeproxy2.dpdns.org/api/hybrid/video_data"` → Either disclose the proxy service in SKILL.md with privacy/data handling info, or replace with a self-hosted/verified proxy. Alternatively, use Douyin's public API directly if available.	`scripts/douyin-no-watermark-downloader.py:18`
Medium	Missing allowed-tools declaration Priv Escalation SKILL.md does not declare any allowed tools. The code uses requests (network access) and file I/O (filesystem WRITE to Desktop) but these are not listed in the metadata or capabilities section. `No allowedTools section present in metadata block` → Add an allowedTools section to SKILL.md metadata declaring: Read (filesystem:READ), Write (filesystem:WRITE) for video output, and WebFetch or equivalent for network requests.	`SKILL.md:1`
Low	Hardcoded User-Agent and Referer headers Sensitive Access Lines 83-85 hardcode Chrome User-Agent and douyin.com Referer. While not malicious, these could be updated to evade anti-bot detection, changing behavior post-deployment without doc update. `"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36..."` → Document that User-Agent/Referer spoofing is intentional for video platform compatibility.	`scripts/douyin-no-watermark-downloader.py:83`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✗ Violation	scripts/douyin-no-watermark-downloader.py:66 writes to Desktop path via open()
Network	`NONE`	`READ`	✗ Violation	scripts/douyin-no-watermark-downloader.py:18 uses requests.get() to lvhomeproxy2…

1 High 9 findings

📡

High IP Address 硬编码 IP 地址

120.0.0.0

scripts/douyin-no-watermark-downloader.py:83

🔗

Medium External URL 外部 URL

https://v.douyin.com/1A4yExNduOU/

SKILL.md:30

🔗

Medium External URL 外部 URL

https://v.douyin.com/8B9xYz789/

SKILL.md:31

🔗

Medium External URL 外部 URL

https://v.douyin.com/XIkH2hGDnw/

SKILL.md:40

🔗

Medium External URL 外部 URL

https://lvhomeproxy2.dpdns.org/api/hybrid/video_data

scripts/douyin-no-watermark-downloader.py:18

🔗

Medium External URL 外部 URL

https://www.douyin.com/

scripts/douyin-no-watermark-downloader.py:84

🔗

Medium External URL 外部 URL

https://v.douyin.com/xxxxx

scripts/douyin-no-watermark-downloader.py:113

🔗

Medium External URL 外部 URL

https://v\.douyin\.com/[^\s

scripts/douyin-no-watermark-downloader.py:121

🔗

Medium External URL 外部 URL

https://v.douyin.com/XIkH2hGDHnw/

scripts/douyin-no-watermark-downloader.py:141

File Tree

2 files · 7.9 KB · 227 lines

Python 1f · 167L Markdown 1f · 60L

├─ ▾ 📁 scripts

│ └─ 🐍 douyin-no-watermark-downloader.py Python 167L · 5.4 KB

└─ 📝 SKILL.md Markdown 60L · 2.5 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned; library widely used, low supply chain risk

Security Positives

✓ No shell execution or subprocess usage — script only uses Python standard library and requests

✓ No credential harvesting or environment variable iteration for secrets

✓ No obfuscation (base64, eval, anti-analysis techniques)

✓ No persistence mechanisms (no cron, startup scripts, or backdoors)

✓ No data exfiltration beyond standard video download operation

✓ No suspicious imports (only sys, requests, time, logging, os, datetime, re)

✓ No downloads of external scripts at runtime

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives