中文 EN
开始可信审查
安全决策报告

抖音视频无水印下载器

Skill implements a Douyin video downloader with undocumented third-party proxy API and undeclared required permissions, lacking transparency about data handling despite plausible benign functionality.

安装决策优先 来源: 手动上传 扫描时间: 2026/4/5
文件 2
IOC 9
越权项 2
发现 3
最直接的威胁证据
高危 文档欺骗
Undocumented third-party proxy API

The script uses 'https://lvhomeproxy2.dpdns.org/api/hybrid/video_data' as a proxy for Douyin video解析. This service is not mentioned anywhere in SKILL.md. Users have no way to know their video links are being routed through an undisclosed third-party service that could log or retain request data.

scripts/douyin-no-watermark-downloader.py:18

为什么得出这个结论

3/4 个维度触发
阻止
声明与实际能力

发现 2 项声明之外的能力或越权行为。

阻止
隐藏执行与外联

提取到 1 个高危 IOC 或外联信号。

阻止
攻击链与高危发现

报告包含 0 步攻击链,另有 1 项高危或严重发现。

复核
依赖与供应链卫生

发现 1 项需要关注的依赖或供应链线索。

风险分是怎么被拉高的

Undeclared required capabilities +20

SKILL.md lacks allowedTools section; code requires network:READ and filesystem:WRITE without declaration

Undocumented third-party proxy API +15

lvhomeproxy2.dpdns.org proxies video解析 requests but is not mentioned in documentation — unclear what data is logged or processed

Broad network access pattern +10

Script makes HTTPS requests to external services for every download operation

最关键的证据

高危 文档欺骗

Undocumented third-party proxy API

The script uses 'https://lvhomeproxy2.dpdns.org/api/hybrid/video_data' as a proxy for Douyin video解析. This service is not mentioned anywhere in SKILL.md. Users have no way to know their video links are being routed through an undisclosed third-party service that could log or retain request data.

scripts/douyin-no-watermark-downloader.py:18
Either disclose the proxy service in SKILL.md with privacy/data handling info, or replace with a self-hosted/verified proxy. Alternatively, use Douyin's public API directly if available.
中危 权限提升

Missing allowed-tools declaration

SKILL.md does not declare any allowed tools. The code uses requests (network access) and file I/O (filesystem WRITE to Desktop) but these are not listed in the metadata or capabilities section.

SKILL.md:1
Add an allowedTools section to SKILL.md metadata declaring: Read (filesystem:READ), Write (filesystem:WRITE) for video output, and WebFetch or equivalent for network requests.
低危 敏感访问

Hardcoded User-Agent and Referer headers

Lines 83-85 hardcode Chrome User-Agent and douyin.com Referer. While not malicious, these could be updated to evade anti-bot detection, changing behavior post-deployment without doc update.

scripts/douyin-no-watermark-downloader.py:83
Document that User-Agent/Referer spoofing is intentional for video platform compatibility.

声明能力 vs 实际能力

文件系统 阻止
声明 NONE
推断 WRITE
scripts/douyin-no-watermark-downloader.py:66 writes to Desktop path via open()
网络访问 阻止
声明 NONE
推断 READ
scripts/douyin-no-watermark-downloader.py:18 uses requests.get() to lvhomeproxy2.dpdns.org

可疑产物与外联

高危 IP 地址
120.0.0.0

scripts/douyin-no-watermark-downloader.py:83

中危 外部 URL
https://v.douyin.com/1A4yExNduOU/

SKILL.md:30

中危 外部 URL
https://v.douyin.com/8B9xYz789/

SKILL.md:31

中危 外部 URL
https://v.douyin.com/XIkH2hGDnw/

SKILL.md:40

中危 外部 URL
https://lvhomeproxy2.dpdns.org/api/hybrid/video_data

scripts/douyin-no-watermark-downloader.py:18

中危 外部 URL
https://www.douyin.com/

scripts/douyin-no-watermark-downloader.py:84

中危 外部 URL
https://v.douyin.com/xxxxx

scripts/douyin-no-watermark-downloader.py:113

中危 外部 URL
https://v\.douyin\.com/[^\s

scripts/douyin-no-watermark-downloader.py:121

中危 外部 URL
https://v.douyin.com/XIkH2hGDHnw/

scripts/douyin-no-watermark-downloader.py:141

依赖与供应链

包名版本来源漏洞备注
requests * pip Version not pinned; library widely used, low supply chain risk

文件构成

2 个文件 · 227 行
Python 1 个文件 · 167 行Markdown 1 个文件 · 60 行
需关注文件 · 2
scripts/douyin-no-watermark-downloader.py Python · 167 行
Undocumented third-party proxy API · Hardcoded User-Agent and Referer headers · 120.0.0.0 · https://lvhomeproxy2.dpdns.org/api/hybrid/video_data · https://www.douyin.com/ · https://v.douyin.com/xxxxx · https://v\.douyin\.com/[^\s · https://v.douyin.com/XIkH2hGDHnw/
SKILL.md Markdown · 60 行
Missing allowed-tools declaration · https://v.douyin.com/1A4yExNduOU/ · https://v.douyin.com/8B9xYz789/ · https://v.douyin.com/XIkH2hGDnw/

安全亮点

No shell execution or subprocess usage — script only uses Python standard library and requests
No credential harvesting or environment variable iteration for secrets
No obfuscation (base64, eval, anti-analysis techniques)
No persistence mechanisms (no cron, startup scripts, or backdoors)
No data exfiltration beyond standard video download operation
No suspicious imports (only sys, requests, time, logging, os, datetime, re)
No downloads of external scripts at runtime