中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 45/100
上次扫描:19 小时前 重新扫描
45 /100
抖音视频无水印下载器
Douyin video watermark-free downloader using undisclosed third-party proxy
Skill implements a Douyin video downloader with undocumented third-party proxy API and undeclared required permissions, lacking transparency about data handling despite plausible benign functionality.
技能名称抖音视频无水印下载器
分析耗时45.3s
引擎pi
谨慎使用
Declare required network and filesystem permissions in SKILL.md. Investigate the undocumented lvhomeproxy2.dpdns.org proxy service — either replace with documented API or disclose its role. Add allowedTools section specifying requests and file I/O usage.

安全发现 3 项

严重性 安全发现 位置
高危
Undocumented third-party proxy API 文档欺骗
The script uses 'https://lvhomeproxy2.dpdns.org/api/hybrid/video_data' as a proxy for Douyin video解析. This service is not mentioned anywhere in SKILL.md. Users have no way to know their video links are being routed through an undisclosed third-party service that could log or retain request data.
base_url = "https://lvhomeproxy2.dpdns.org/api/hybrid/video_data"
→ Either disclose the proxy service in SKILL.md with privacy/data handling info, or replace with a self-hosted/verified proxy. Alternatively, use Douyin's public API directly if available.
 scripts/douyin-no-watermark-downloader.py:18
中危
Missing allowed-tools declaration 权限提升
SKILL.md does not declare any allowed tools. The code uses requests (network access) and file I/O (filesystem WRITE to Desktop) but these are not listed in the metadata or capabilities section.
No allowedTools section present in metadata block
→ Add an allowedTools section to SKILL.md metadata declaring: Read (filesystem:READ), Write (filesystem:WRITE) for video output, and WebFetch or equivalent for network requests.
 SKILL.md:1
低危
Hardcoded User-Agent and Referer headers 敏感访问
Lines 83-85 hardcode Chrome User-Agent and douyin.com Referer. While not malicious, these could be updated to evade anti-bot detection, changing behavior post-deployment without doc update.
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36..."
→ Document that User-Agent/Referer spoofing is intentional for video platform compatibility.
 scripts/douyin-no-watermark-downloader.py:83
资源类型声明权限推断权限状态证据
文件系统 NONE WRITE ✗ 越权 scripts/douyin-no-watermark-downloader.py:66 writes to Desktop path via open()
网络访问 NONE READ ✗ 越权 scripts/douyin-no-watermark-downloader.py:18 uses requests.get() to lvhomeproxy2…
1 高危 9 项发现
📡
高危 IP 地址 硬编码 IP 地址
120.0.0.0
scripts/douyin-no-watermark-downloader.py:83
🔗
中危 外部 URL 外部 URL
https://v.douyin.com/1A4yExNduOU/
SKILL.md:30
🔗
中危 外部 URL 外部 URL
https://v.douyin.com/8B9xYz789/
SKILL.md:31
🔗
中危 外部 URL 外部 URL
https://v.douyin.com/XIkH2hGDnw/
SKILL.md:40
🔗
中危 外部 URL 外部 URL
https://lvhomeproxy2.dpdns.org/api/hybrid/video_data
scripts/douyin-no-watermark-downloader.py:18
🔗
中危 外部 URL 外部 URL
https://www.douyin.com/
scripts/douyin-no-watermark-downloader.py:84
🔗
中危 外部 URL 外部 URL
https://v.douyin.com/xxxxx
scripts/douyin-no-watermark-downloader.py:113
🔗
中危 外部 URL 外部 URL
https://v\.douyin\.com/[^\s
scripts/douyin-no-watermark-downloader.py:121
🔗
中危 外部 URL 外部 URL
https://v.douyin.com/XIkH2hGDHnw/
scripts/douyin-no-watermark-downloader.py:141

目录结构

2 文件 · 7.9 KB · 227 行
Python 1f · 167L Markdown 1f · 60L
├─ 📁 scripts
│ └─ 🐍 douyin-no-watermark-downloader.py Python 167L · 5.4 KB
└─ 📝 SKILL.md Markdown 60L · 2.5 KB

依赖分析 1 项

包名版本来源已知漏洞备注
requests * pip Version not pinned; library widely used, low supply chain risk

安全亮点

✓ No shell execution or subprocess usage — script only uses Python standard library and requests
✓ No credential harvesting or environment variable iteration for secrets
✓ No obfuscation (base64, eval, anti-analysis techniques)
✓ No persistence mechanisms (no cron, startup scripts, or backdoors)
✓ No data exfiltration beyond standard video download operation
✓ No suspicious imports (only sys, requests, time, logging, os, datetime, re)
✓ No downloads of external scripts at runtime