中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 18/100
上次扫描:1 天前 重新扫描
18 /100
video-download-transcribe
多平台视频下载 + 本地转录 + 视频内容分析 (B站/抖音/TikTok/YouTube/小红书/微博/快手)
A legitimate multi-platform video download and transcription skill with documented APIs, declared dependencies, and no evidence of malicious behavior.
技能名称video-download-transcribe
分析耗时50.6s
引擎pi
可以安装
Consider replacing hardcoded paths (/Users/kk/) with environment-relative paths for portability. Pin dependency versions to avoid supply chain risks.

安全发现 2 项

严重性 安全发现 位置
低危
Hardcoded absolute paths to user directory 权限提升
Code contains hardcoded paths /Users/kk/.openclaw/ which assumes a specific user environment, reducing portability and indicating single-user development
_python = "/Users/kk/.openclaw/mcp-servers/douyin-analyzer/.venv/bin/python3"
→ Use environment-relative paths or os.path.dirname(__file__) for portability
 douyin-mcp/server.py:114
低危
Unpinned dependency versions 供应链
requirements.txt lists packages without version constraints (requests, ffmpeg-python, openai, openai-whisper, playwright, nest_asyncio)
requests
ffmpeg-python
openai
→ Pin versions to prevent unexpected updates: requests>=2.28.0,<3.0.0
 douyin-mcp/requirements.txt:1
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 server.py:41 writes to ~/.openclaw/video-transcripts, line 40 uses os.path.expan…
网络访问 READ READ ✓ 一致 server.py: requests to Douyin API, SiliconFlow, MiniMax (all documented)
命令执行 WRITE WRITE ✓ 一致 server.py:116-117 subprocess for ffmpeg/yt-dlp, lines 271-276 for playwright
环境变量 NONE READ ✓ 一致 server.py:31-33 accesses SILICONFLOW_API_KEY, MINIMAX_API_KEY for legitimate fea…
1 高危 9 项发现
📡
高危 IP 地址 硬编码 IP 地址
120.0.0.0
douyin-mcp/server.py:184
🔗
中危 外部 URL 外部 URL
https://api.siliconflow.cn
douyin-mcp/server.py:30
🔗
中危 外部 URL 外部 URL
https://api.minimax.chat
douyin-mcp/server.py:34
🔗
中危 外部 URL 外部 URL
https://liuxingw.com/api/douyin/api.php
douyin-mcp/server.py:47
🔗
中危 外部 URL 外部 URL
https://www.iesdouyin.com/share/video/7123456789012345678/...
douyin-mcp/server.py:73
🔗
中危 外部 URL 外部 URL
https://v.douyin.com/
douyin-mcp/server.py:111
🔗
中危 外部 URL 外部 URL
https://www.iesdouyin.com/web/api/v2/aweme/iteminfo/?item_ids=
douyin-mcp/server.py:180
🔗
中危 外部 URL 外部 URL
https://www.douyin.com/
douyin-mcp/server.py:185
🔗
中危 外部 URL 外部 URL
https://aweme.snssdk.com
douyin-mcp/server.py:295

目录结构

5 文件 · 57.5 KB · 1524 行
Python 1f · 1328L Markdown 1f · 108L Shell 1f · 76L JSON 1f · 6L Text 1f · 6L
├─ 📁 douyin-mcp
│ ├─ 📄 requirements.txt Text 6L · 69 B
│ ├─ 🐍 server.py Python 1328L · 52.1 KB
│ └─ 🔧 setup.sh Shell 76L · 1.9 KB
├─ 📋 _meta.json JSON 6L · 145 B
└─ 📝 SKILL.md Markdown 108L · 3.4 KB

依赖分析 6 项

包名版本来源已知漏洞备注
requests * pip Version not pinned
ffmpeg-python * pip Version not pinned
openai * pip Version not pinned
openai-whisper * pip Version not pinned
playwright * pip Version not pinned
nest_asyncio * pip Version not pinned

安全亮点

✓ Documentation (SKILL.md) accurately describes functionality and matches implementation
✓ No credential harvesting - API keys used only for intended services (SiliconFlow, MiniMax)
✓ No sensitive file access (~/.ssh, ~/.aws, .env) for theft purposes
✓ No data exfiltration - all network calls are to documented video platform APIs
✓ No obfuscation or base64-encoded hidden payloads
✓ Uses standard video processing libraries (ffmpeg, yt-dlp, whisper)
✓ Temporary files properly cleaned up with try/finally
✓ MCP tool descriptions are clear and accurate