yby6-video-parser Security Report — Low Risk | ClawSafe

25 /100

yby6-video-parser

视频解析与转录技能，支持 20+ 平台视频链接解析和语音转录

This is a legitimate video parsing and transcription skill with no malicious behavior found; minor security concerns include undocumented shell execution for ffmpeg, hardcoded placeholder IPs in comments, and unpinned dependencies.

Skill Nameyby6-video-parser

Duration60.4s

Enginepi

✓

Safe to install

Add the allowed-tools declaration to SKILL.md, pin dependency versions in requirements.txt, and remove the hardcoded example API key from README.md.

Findings 5 items

Severity	Finding	Location
Low	Dependencies not version pinned Supply Chain requirements.txt uses >= constraints without upper bounds for httpx, fake-useragent, and requests. This allows supply chain attacks via malicious package updates. `httpx>=0.28.1 fake-useragent>=1.5.1 requests>=2.28.0` → Pin exact versions, e.g., httpx==0.28.1	`requirements.txt:1`
Low	No allowed-tools declaration in SKILL.md Doc Mismatch SKILL.md does not declare allowed tools mapping. The actual usage maps to shell:WRITE (ffmpeg subprocess), filesystem:WRITE (tmp/demos writes), network:READ (API calls), environment:READ (.env reading). `No allowed-tools section present` → Add an allowed-tools section mapping Bash→shell:WRITE, Read/Write→filesystem:READ/WRITE, WebFetch→network:READ	`SKILL.md:1`
Low	Shell execution not declared in SKILL.md Doc Mismatch transcribe.py uses subprocess.run to execute ffmpeg for audio extraction, which is a shell:WRITE operation, but SKILL.md only mentions ffmpeg as an external dependency in the requirements section without explicitly declaring the subprocess capability. `subprocess.run(cmd, capture_output=True, text=True, encoding='utf-8', errors='ignore')` → Document the ffmpeg subprocess call in SKILL.md or refactor to use a Python-native audio library	`scripts/transcribe.py:161`
Info	Placeholder IPs in code comments Sensitive Access bilibili.py:19 and twitter.py:35 contain hardcoded placeholder IPs (108.0.0.0 and 120.0.0.0) in comments. These are fake placeholder values, not real IPs used in code paths, and present no security risk. `# ip: 108.0.0.0 @ scripts/parser/bilibili.py:19` → Remove placeholder IPs from comments to avoid confusion in security scans	`scripts/parser/bilibili.py, scripts/parser/twitter.py:19`
Info	Example API key in README.md Doc Mismatch README.md contains a hardcoded placeholder API key 'sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'. This is clearly an example placeholder, not a real credential, but it sets a poor precedent. `api_key=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx` → Replace with a clearly-marked placeholder like 'YOUR_API_KEY_HERE'	`README.md:29`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✓ Aligned	transcribe.py:167 — writes to tmp/ and demos/ directories; skill.py creates tmp/…
Network	`NONE`	`READ`	✓ Aligned	All parser modules use httpx/requests to GET platform APIs; transcribe.py POSTs …
Shell	`NONE`	`WRITE`	✓ Aligned	transcribe.py:161 — subprocess.run(['ffmpeg', ...]) for audio extraction
Environment	`NONE`	`READ`	✓ Aligned	transcribe.py:132-140, skill.py:215-224 — load_env('.env') reads api_key, model,…

1 Critical 3 High 57 findings

🔑

Critical API Key 硬编码 API 密钥

sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

README.md:29

🔑

High API Key 疑似硬编码凭证

api_key="your-siliconflow-api-key"

README.md:165

📡

High IP Address 硬编码 IP 地址

108.0.0.0

scripts/parser/bilibili.py:19

📡

High IP Address 硬编码 IP 地址

120.0.0.0

scripts/parser/twitter.py:35

🔗

Medium External URL 外部 URL

https://siliconflow.cn/

.env:2

🔗

Medium External URL 外部 URL

https://docs.siliconflow.cn/api-reference/audio

.env:6

🔗

Medium External URL 外部 URL

http://ip:8000/video/share/url/parse?url=

.env:12

🔗

Medium External URL 外部 URL

https://api.siliconflow.cn/v1/audio/transcriptions

.env:15

🔗

Medium External URL 外部 URL

https://v.douyin.com/xxxxxx

README.md:45

🔗

Medium External URL 外部 URL

https://www.xiaohongshu.com/explore/xxxx

README.md:55

🔗

Medium External URL 外部 URL

https://www.bilibili.com/video/xxxx

README.md:58

🔗

Medium External URL 外部 URL

https://v.kuaishou.com/yyyyyy

README.md:184

🔗

Medium External URL 外部 URL

https://www.xiaohongshu.com/explore/zzzzzz

README.md:185

🔗

Medium External URL 外部 URL

https://tools.thatwind.com/tool/m3u8downloader

scripts/parser/acfun.py:12

🔗

Medium External URL 外部 URL

https://www.acfun.cn/v/

scripts/parser/acfun.py:61

🔗

Medium External URL 外部 URL

https://www.bilibili.com/

scripts/parser/bilibili.py:25

🔗

Medium External URL 外部 URL

https://api.bilibili.com/x/web-interface/view?bvid=

scripts/parser/bilibili.py:37

🔗

Medium External URL 外部 URL

https://api.bilibili.com/x/player/playurl?

scripts/parser/bilibili.py:49

🔗

Medium External URL 外部 URL

https://v2.doupai.cc/topic/

scripts/parser/doupai.py:18

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/

scripts/parser/douyin.py:192

🔗

Medium External URL 外部 URL

https://www.douyin.com/jingxuan?modal_id=7555093909760789812

scripts/parser/douyin.py:220

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7424432820954598707/?region=CN&mid=7424432976273869622&u_code=0

scripts/parser/douyin.py:226

🔗

Medium External URL 外部 URL

https://www.douyin.com/video/xxxxxx

scripts/parser/douyin.py:227

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/web/api/v2/aweme/slidesinfo/

scripts/parser/douyin.py:287

🔗

Medium External URL 外部 URL

https://haokan.baidu.com/v?_format=json&vid=

scripts/parser/haokan.py:18

🔗

Medium External URL 外部 URL

https://liveapi.huya.com/moment/getMomentContent?videoId=

scripts/parser/huya.py:25

🔗

Medium External URL 外部 URL

https://v.huya.com/

scripts/parser/huya.py:29

🔗

Medium External URL 外部 URL

https://v.kuaishou.com/

scripts/parser/kuaishou.py:24

🔗

Medium External URL 外部 URL

https://www.pearvideo.com/videoStatus.jsp?contId=

scripts/parser/lishipin.py:27

🔗

Medium External URL 外部 URL

https://www.pearvideo.com/detail_

scripts/parser/lishipin.py:32

🔗

Medium External URL 外部 URL

https://m.oasis.weibo.cn/v1/h5/share?sid=

scripts/parser/lvzhou.py:45

🔗

Medium External URL 外部 URL

https://www.meipai.com/video/

scripts/parser/meipai.py:43

🔗

Medium External URL 外部 URL

https://share.ippzone.com/ppapi/share/fetch_content

scripts/parser/pipigaoxiao.py:24

🔗

Medium External URL 外部 URL

https://file.ippzone.com/img/view/id/

scripts/parser/pipigaoxiao.py:44

🔗

Medium External URL 外部 URL

https://api.pipix.com/bds/cell/cell_comment/

scripts/parser/pipixia.py:24

🔗

Medium External URL 外部 URL

https://quanmin.hao222.com/wise/growth/api/sv/immerse

scripts/parser/quanmin.py:19

🔗

Medium External URL 外部 URL

https://kg.qq.com/node/play?s=

scripts/parser/quanminkge.py:22

🔗

Medium External URL 外部 URL

https://ci.xiaohongshu.com/notes_pre_post/

scripts/parser/redbook.py:59

🔗

Medium External URL 外部 URL

https://v.6.cn/coop/mobile/index.php?

scripts/parser/sixroom.py:27

🔗

Medium External URL 外部 URL

https://m.6.cn/v/

scripts/parser/sixroom.py:32

🔗

Medium External URL 外部 URL

https://cdn.syndication.twimg.com/tweet-result?

scripts/parser/twitter.py:28

🔗

Medium External URL 外部 URL

https://platform.twitter.com/

scripts/parser/twitter.py:38

🔗

Medium External URL 外部 URL

https://x.com/user/status/1234567890

scripts/parser/twitter.py:160

🔗

Medium External URL 外部 URL

https://twitter.com/user/status/1234567890

scripts/parser/twitter.py:161

🔗

Medium External URL 外部 URL

https://mobile.twitter.com/user/status/1234567890

scripts/parser/twitter.py:162

🔗

Medium External URL 外部 URL

https://weibo.com/2543858012/Q9pcJ4S21

scripts/parser/weibo.py:28

🔗

Medium External URL 外部 URL

https://h5.video.weibo.com/api/component?page=/show/

scripts/parser/weibo.py:38

🔗

Medium External URL 外部 URL

https://h5.video.weibo.com/show/

scripts/parser/weibo.py:40

🔗

Medium External URL 外部 URL

https://m.weibo.cn/statuses/show?id=

scripts/parser/weibo.py:75

🔗

Medium External URL 外部 URL

https://m.weibo.cn/

scripts/parser/weibo.py:78

🔗

Medium External URL 外部 URL

https://h5.weishi.qq.com/webapp/json/weishi/WSH5GetPlayPage

scripts/parser/weishi.py:19

🔗

Medium External URL 外部 URL

https://www.ixigua.com/

scripts/parser/xigua.py:19

🔗

Medium External URL 外部 URL

https://www.ixigua.com/xxxxxx

scripts/parser/xigua.py:20

🔗

Medium External URL 外部 URL

https://m.ixigua.com/douyin/share/video/

scripts/parser/xigua.py:37

🔗

Medium External URL 外部 URL

https://www.xinpianchang.com/

scripts/parser/xinpianchang.py:19

🔗

Medium External URL 外部 URL

https://mod-api.xinpianchang.com/mod/api/v2/media/

scripts/parser/xinpianchang.py:34

🔗

Medium External URL 外部 URL

https://share.xiaochuankeji.cn/planck/share/post/detail_h5

scripts/parser/zuiyou.py:19

File Tree

31 files · 109.2 KB · 3317 lines

Python 27f · 2822L Markdown 2f · 471L Other 1f · 21L Text 1f · 3L

├─ ▾ 📁 scripts

│ ├─ ▾ 📁 parser

│ │ ├─ 🐍 __init__.py Python 178L · 4.8 KB

│ │ ├─ 🐍 acfun.py Python 62L · 2.3 KB

│ │ ├─ 🐍 base.py Python 115L · 2.6 KB

│ │ ├─ 🐍 bilibili.py Python 120L · 4.4 KB

│ │ ├─ 🐍 doupai.py Python 36L · 1.1 KB

│ │ ├─ 🐍 douyin.py Python 313L · 12.3 KB

│ │ ├─ 🐍 haokan.py Python 41L · 1.3 KB

│ │ ├─ 🐍 huya.py Python 49L · 1.5 KB

│ │ ├─ 🐍 kuaishou.py Python 94L · 3.2 KB

│ │ ├─ 🐍 lishipin.py Python 51L · 1.5 KB

│ │ ├─ 🐍 lvzhou.py Python 46L · 1.4 KB

│ │ ├─ 🐍 meipai.py Python 86L · 2.9 KB

│ │ ├─ 🐍 pipigaoxiao.py Python 51L · 1.7 KB

│ │ ├─ 🐍 pipixia.py Python 74L · 2.8 KB

│ │ ├─ 🐍 quanmin.py Python 50L · 1.7 KB

│ │ ├─ 🐍 quanminkge.py Python 50L · 1.5 KB

│ │ ├─ 🐍 redbook.py Python 89L · 3.4 KB

│ │ ├─ 🐍 sixroom.py Python 52L · 1.6 KB

│ │ ├─ 🐍 twitter.py Python 178L · 6.5 KB

│ │ ├─ 🐍 utils.py Python 22L · 639 B

│ │ ├─ 🐍 weibo.py Python 195L · 6.9 KB

│ │ ├─ 🐍 weishi.py Python 46L · 1.4 KB

│ │ ├─ 🐍 xigua.py Python 78L · 3.0 KB

│ │ ├─ 🐍 xinpianchang.py Python 57L · 2.0 KB

│ │ └─ 🐍 zuiyou.py Python 44L · 1.4 KB

│ ├─ 🐍 skill.py Python 255L · 6.6 KB

│ └─ 🐍 transcribe.py Python 390L · 13.3 KB

├─ 🔑 .env ⚠ 21L · 937 B

├─ 📝 README.md Markdown 276L · 7.6 KB

├─ 📄 requirements.txt Text 3L · 53 B

└─ 📝 SKILL.md Markdown 195L · 6.6 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`httpx`	`>=0.28.1`	pip	No	Version not pinned; accepts any 0.28.x+ release
`fake-useragent`	`>=1.5.1`	pip	No	Version not pinned; accepts any 1.5.1+ release
`requests`	`>=2.28.0`	pip	No	Version not pinned; accepts any 2.28.0+ release

Security Positives

✓ Credentials are read only from .env file, never hardcoded in runtime code

✓ API key is used only for the legitimate SiliconFlow transcription API call

✓ No credential harvesting or exfiltration detected

✓ No obfuscation (no base64, no eval, no atob patterns)

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files outside project)

✓ No persistence mechanisms (no cron, no startup hooks, no backdoors)

✓ No data exfiltration to undeclared external endpoints

✓ No reverse shell, C2, or remote code execution beyond documented ffmpeg

✓ Markdown output is written to a local demos/ directory, not exfiltrated

✓ No prompt injection or jailbreak instructions found

Scan Report

Findings 5 items

File Tree

Dependencies 3 items

Security Positives