中文 EN
Start Review
Skill Trust Decision

抖音视频无水印下载器

Skill implements a Douyin video downloader with undocumented third-party proxy API and undeclared required permissions, lacking transparency about data handling despite plausible benign functionality.

Install decision first Source: Manual upload Scanned: Apr 5, 2026
Files 2
Artifacts 9
Violations 2
Findings 3
Most direct threat evidence
High Doc Mismatch
Undocumented third-party proxy API

The script uses 'https://lvhomeproxy2.dpdns.org/api/hybrid/video_data' as a proxy for Douyin video解析. This service is not mentioned anywhere in SKILL.md. Users have no way to know their video links are being routed through an undisclosed third-party service that could log or retain request data.

scripts/douyin-no-watermark-downloader.py:18

Why this conclusion was reached

3/4 dimensions flagged
Block
Declared vs actual capability

2 undeclared or violating capabilities were inferred.

Block
Hidden execution and egress

1 high-risk artifacts or egress signals were extracted.

Block
Attack chain and severe findings

The report includes 0 attack-chain steps and 1 severe findings.

Review
Dependencies and supply chain hygiene

1 dependency or supply-chain issues need attention.

What drove the risk score up

Undeclared required capabilities +20

SKILL.md lacks allowedTools section; code requires network:READ and filesystem:WRITE without declaration

Undocumented third-party proxy API +15

lvhomeproxy2.dpdns.org proxies video解析 requests but is not mentioned in documentation — unclear what data is logged or processed

Broad network access pattern +10

Script makes HTTPS requests to external services for every download operation

Most important evidence

High Doc Mismatch

Undocumented third-party proxy API

The script uses 'https://lvhomeproxy2.dpdns.org/api/hybrid/video_data' as a proxy for Douyin video解析. This service is not mentioned anywhere in SKILL.md. Users have no way to know their video links are being routed through an undisclosed third-party service that could log or retain request data.

scripts/douyin-no-watermark-downloader.py:18
Either disclose the proxy service in SKILL.md with privacy/data handling info, or replace with a self-hosted/verified proxy. Alternatively, use Douyin's public API directly if available.
Medium Priv Escalation

Missing allowed-tools declaration

SKILL.md does not declare any allowed tools. The code uses requests (network access) and file I/O (filesystem WRITE to Desktop) but these are not listed in the metadata or capabilities section.

SKILL.md:1
Add an allowedTools section to SKILL.md metadata declaring: Read (filesystem:READ), Write (filesystem:WRITE) for video output, and WebFetch or equivalent for network requests.
Low Sensitive Access

Hardcoded User-Agent and Referer headers

Lines 83-85 hardcode Chrome User-Agent and douyin.com Referer. While not malicious, these could be updated to evade anti-bot detection, changing behavior post-deployment without doc update.

scripts/douyin-no-watermark-downloader.py:83
Document that User-Agent/Referer spoofing is intentional for video platform compatibility.

Declared capability vs actual capability

Filesystem Block
Declared NONE
Inferred WRITE
scripts/douyin-no-watermark-downloader.py:66 writes to Desktop path via open()
Network Block
Declared NONE
Inferred READ
scripts/douyin-no-watermark-downloader.py:18 uses requests.get() to lvhomeproxy2.dpdns.org

Suspicious artifacts and egress

High IP Address
120.0.0.0

scripts/douyin-no-watermark-downloader.py:83

Medium External URL
https://v.douyin.com/1A4yExNduOU/

SKILL.md:30

Medium External URL
https://v.douyin.com/8B9xYz789/

SKILL.md:31

Medium External URL
https://v.douyin.com/XIkH2hGDnw/

SKILL.md:40

Medium External URL
https://lvhomeproxy2.dpdns.org/api/hybrid/video_data

scripts/douyin-no-watermark-downloader.py:18

Medium External URL
https://www.douyin.com/

scripts/douyin-no-watermark-downloader.py:84

Medium External URL
https://v.douyin.com/xxxxx

scripts/douyin-no-watermark-downloader.py:113

Medium External URL
https://v\.douyin\.com/[^\s

scripts/douyin-no-watermark-downloader.py:121

Medium External URL
https://v.douyin.com/XIkH2hGDHnw/

scripts/douyin-no-watermark-downloader.py:141

Dependencies and supply chain

PackageVersionSourceKnown vulnNotes
requests * pip No Version not pinned; library widely used, low supply chain risk

File composition

2 files · 227 lines
Python 1 files · 167 linesMarkdown 1 files · 60 lines
Files of concern · 2
scripts/douyin-no-watermark-downloader.py Python · 167 lines
Undocumented third-party proxy API · Hardcoded User-Agent and Referer headers · 120.0.0.0 · https://lvhomeproxy2.dpdns.org/api/hybrid/video_data · https://www.douyin.com/ · https://v.douyin.com/xxxxx · https://v\.douyin\.com/[^\s · https://v.douyin.com/XIkH2hGDHnw/
SKILL.md Markdown · 60 lines
Missing allowed-tools declaration · https://v.douyin.com/1A4yExNduOU/ · https://v.douyin.com/8B9xYz789/ · https://v.douyin.com/XIkH2hGDnw/

Security positives

No shell execution or subprocess usage — script only uses Python standard library and requests
No credential harvesting or environment variable iteration for secrets
No obfuscation (base64, eval, anti-analysis techniques)
No persistence mechanisms (no cron, startup scripts, or backdoors)
No data exfiltration beyond standard video download operation
No suspicious imports (only sys, requests, time, logging, os, datetime, re)
No downloads of external scripts at runtime