Name: douyin-video-analyzer Security Report — Trusted | ClawSafe
Item: douyin-video-analyzer
Rating: 95
Author: ClawSafe

This report was generated in Chinese. Some content may be in Chinese.

5 /100

douyin-video-analyzer

抖音视频深度拆解分析器

合法的抖音视频分析工具，功能实现完整，权限使用合理，预扫描发现的硬编码IP为占位符地址（120.0.0.0），不影响安全。

Skill Namedouyin-video-analyzer

Duration39.4s

Enginepi

ClawHub Douyin Video Analyzer v3.7.4 by franklu0819-lang

📥 923 📦 10 ⭐ 1

ClawHub Verdict Suspicious dangerous_execvt_suspicious

✓

Safe to install

可直接使用

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	scripts/analyze.js 临时文件写入
Network	`READ`	`READ`	✓ Aligned	lib/scraper.js 抖音页面抓取
Shell	`WRITE`	`WRITE`	✓ Aligned	lib/video-downloader.js 调用 yt-dlp
Environment	`READ`	`READ`	✓ Aligned	scripts/analyze.js 读取 ZHIPU_API_KEY
Browser	`WRITE`	`WRITE`	✓ Aligned	lib/playwright-scraper.js 启动无头浏览器

1 High 9 findings

📡

High IP Address 硬编码 IP 地址

120.0.0.0

lib/scraper.js:11

🔗

Medium External URL 外部 URL

https://v.douyin.com/xxxxx

PRD.md:72

🔗

Medium External URL 外部 URL

https://v.douyin.com/xxxxxx/

SKILL.md:44

🔗

Medium External URL 外部 URL

https://ffmpeg.org/download.html

lib/frame-extractor.js:59

🔗

Medium External URL 外部 URL

https://v.douyin.com/6biejtHeP30/

lib/playwright-scraper.js:98

🔗

Medium External URL 外部 URL

https://www.douyin.com/

lib/scraper.js:38

🔗

Medium External URL 外部 URL

https://www.douyin.com/video/$

lib/scraper.js:151

🔗

Medium External URL 外部 URL

https://open.bigmodel.cn/api/paas/v4/chat/completions

openspec/changes/phase2-video-analysis/design/architecture.md:117

🔗

Medium External URL 外部 URL

https://dotenvx.com

package-lock.json:209

File Tree

18 files · 78.6 KB · 2482 lines

JavaScript 9f · 1319L JSON 3f · 695L Markdown 6f · 468L

├─ ▾ 📁 lib

│ ├─ 📜 ai-analyzer.js JavaScript 161L · 5.0 KB

│ ├─ 📜 audio-processor.js JavaScript 115L · 3.4 KB

│ ├─ 📜 frame-extractor.js JavaScript 152L · 4.1 KB

│ ├─ 📜 playwright-scraper.js JavaScript 105L · 3.8 KB

│ ├─ 📜 scraper.js JavaScript 194L · 5.4 KB

│ ├─ 📜 url-resolver.js JavaScript 147L · 3.5 KB

│ ├─ 📜 utils.js JavaScript 93L · 2.3 KB

│ └─ 📜 video-downloader.js JavaScript 209L · 6.2 KB

├─ ▾ 📁 openspec

│ └─ ▾ 📁 changes

│ └─ ▾ 📁 phase2-video-analysis

│ ├─ ▾ 📁 design

│ │ └─ 📝 architecture.md Markdown 178L · 5.7 KB

│ ├─ ▾ 📁 specs

│ │ └─ 📝 requirements.md Markdown 46L · 1.7 KB

│ ├─ ▾ 📁 tasks

│ │ └─ 📝 implementation.md Markdown 64L · 2.3 KB

│ └─ 📝 proposal.md Markdown 22L · 738 B

├─ ▾ 📁 scripts

│ └─ 📜 analyze.js JavaScript 143L · 5.7 KB

├─ 📋 _meta.json JSON 22L · 717 B

├─ 📋 package-lock.json JSON 635L · 22.2 KB

├─ 📋 package.json JSON 38L · 986 B

├─ 📝 PRD.md Markdown 103L · 3.2 KB

└─ 📝 SKILL.md Markdown 55L · 1.8 KB

Dependencies 4 items

Package	Version	Source	Known Vulns	Notes
`axios`	`^1.6.0`	npm	No	有版本锁定
`cheerio`	`^1.0.0-rc.12`	npm	No	有版本锁定
`dotenv`	`^16.3.1`	npm	No	有版本锁定
`playwright-chromium`	`^1.40.0`	npm	No	有版本锁定

Security Positives

✓ 声明-行为完全一致，SKILL.md 与代码实现匹配

✓ 数据流透明：本地处理 + 智谱AI，文档明确说明

✓ 临时文件清理机制完善（frameExtractor.cleanupFrames + unlinkSync）

✓ 依赖有版本锁定（axios ^1.6.0, cheerio ^1.0.0-rc.12, playwright-chromium ^1.40.0）

✓ 无敏感路径访问（~/.ssh、~/.aws、.env 等）

✓ 无凭证收割行为（仅读取 ZHIPU_API_KEY 用于调用智谱API）

✓ 无反向shell或C2通信

✓ 无代码混淆或Base64执行

Scan Report

File Tree

Dependencies 4 items

Security Positives