中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 18/100
Last scan:1 day ago Rescan
18 /100
video-download-transcribe
多平台视频下载 + 本地转录 + 视频内容分析 (B站/抖音/TikTok/YouTube/小红书/微博/快手)
A legitimate multi-platform video download and transcription skill with documented APIs, declared dependencies, and no evidence of malicious behavior.
Skill Namevideo-download-transcribe
Duration50.6s
Enginepi
Safe to install
Consider replacing hardcoded paths (/Users/kk/) with environment-relative paths for portability. Pin dependency versions to avoid supply chain risks.

Findings 2 items

Severity Finding Location
Low
Hardcoded absolute paths to user directory Priv Escalation
Code contains hardcoded paths /Users/kk/.openclaw/ which assumes a specific user environment, reducing portability and indicating single-user development
_python = "/Users/kk/.openclaw/mcp-servers/douyin-analyzer/.venv/bin/python3"
→ Use environment-relative paths or os.path.dirname(__file__) for portability
 douyin-mcp/server.py:114
Low
Unpinned dependency versions Supply Chain
requirements.txt lists packages without version constraints (requests, ffmpeg-python, openai, openai-whisper, playwright, nest_asyncio)
requests
ffmpeg-python
openai
→ Pin versions to prevent unexpected updates: requests>=2.28.0,<3.0.0
 douyin-mcp/requirements.txt:1
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned server.py:41 writes to ~/.openclaw/video-transcripts, line 40 uses os.path.expan…
Network READ READ ✓ Aligned server.py: requests to Douyin API, SiliconFlow, MiniMax (all documented)
Shell WRITE WRITE ✓ Aligned server.py:116-117 subprocess for ffmpeg/yt-dlp, lines 271-276 for playwright
Environment NONE READ ✓ Aligned server.py:31-33 accesses SILICONFLOW_API_KEY, MINIMAX_API_KEY for legitimate fea…
1 High 9 findings
📡
High IP Address 硬编码 IP 地址
120.0.0.0
douyin-mcp/server.py:184
🔗
Medium External URL 外部 URL
https://api.siliconflow.cn
douyin-mcp/server.py:30
🔗
Medium External URL 外部 URL
https://api.minimax.chat
douyin-mcp/server.py:34
🔗
Medium External URL 外部 URL
https://liuxingw.com/api/douyin/api.php
douyin-mcp/server.py:47
🔗
Medium External URL 外部 URL
https://www.iesdouyin.com/share/video/7123456789012345678/...
douyin-mcp/server.py:73
🔗
Medium External URL 外部 URL
https://v.douyin.com/
douyin-mcp/server.py:111
🔗
Medium External URL 外部 URL
https://www.iesdouyin.com/web/api/v2/aweme/iteminfo/?item_ids=
douyin-mcp/server.py:180
🔗
Medium External URL 外部 URL
https://www.douyin.com/
douyin-mcp/server.py:185
🔗
Medium External URL 外部 URL
https://aweme.snssdk.com
douyin-mcp/server.py:295

File Tree

5 files · 57.5 KB · 1524 lines
Python 1f · 1328L Markdown 1f · 108L Shell 1f · 76L JSON 1f · 6L Text 1f · 6L
├─ 📁 douyin-mcp
│ ├─ 📄 requirements.txt Text 6L · 69 B
│ ├─ 🐍 server.py Python 1328L · 52.1 KB
│ └─ 🔧 setup.sh Shell 76L · 1.9 KB
├─ 📋 _meta.json JSON 6L · 145 B
└─ 📝 SKILL.md Markdown 108L · 3.4 KB

Dependencies 6 items

PackageVersionSourceKnown VulnsNotes
requests * pip No Version not pinned
ffmpeg-python * pip No Version not pinned
openai * pip No Version not pinned
openai-whisper * pip No Version not pinned
playwright * pip No Version not pinned
nest_asyncio * pip No Version not pinned

Security Positives

✓ Documentation (SKILL.md) accurately describes functionality and matches implementation
✓ No credential harvesting - API keys used only for intended services (SiliconFlow, MiniMax)
✓ No sensitive file access (~/.ssh, ~/.aws, .env) for theft purposes
✓ No data exfiltration - all network calls are to documented video platform APIs
✓ No obfuscation or base64-encoded hidden payloads
✓ Uses standard video processing libraries (ffmpeg, yt-dlp, whisper)
✓ Temporary files properly cleaned up with try/finally
✓ MCP tool descriptions are clear and accurate