中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:1 day ago Rescan
20 /100
douyin-video-download
抖音视频批量下载工具 - 支持单视频、批量下载、自动去重、无水印下载
Legitimate video downloader with secure shell execution practices, but suffers from unpinned dependencies and incomplete documentation disclosure.
Skill Namedouyin-video-download
Duration32.6s
Enginepi
Safe to install
Pin all dependency versions in package.json to prevent supply chain attacks, and document all dependencies (dotenv, Playwright) in SKILL.md.

Findings 2 items

Severity Finding Location
Medium
Unpinned dependencies in package.json Supply Chain
All npm dependencies use caret (^) versioning which allows automatic minor/patch updates without review. This could enable supply chain attacks if a package maintainer's account is compromised.
"axios": "^1.6.0",
"cheerio": "^1.0.0-rc.12",
"dotenv": "^16.3.1",
"playwright-chromium": "^1.58.2"
→ Pin versions without caret: "axios": "1.6.0", "cheerio": "1.0.0-rc.12", etc.
 package.json:17
Low
Undocumented dependencies Doc Mismatch
SKILL.md mentions yt-dlp but does not mention dotenv or playwright-chromium which are critical runtime dependencies. dotenv loads .env files, playwright-chromium handles browser automation.
SKILL.md installation section only mentions npm install and playwright install chromium, missing dotenv
→ Document all runtime dependencies in SKILL.md
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned lib/parser.js:1 - playwright-chromium, lib/downloader.js:1 - curl/yt-dlp
Filesystem WRITE WRITE ✓ Aligned lib/downloader.js:16-20 - fs.mkdirSync, fs.writeFileSync pattern
Shell WRITE WRITE ✓ Aligned lib/downloader.js:44-75 - uses spawn with args array, proper injection preventio…
5 findings
🔗
Medium External URL 外部 URL
https://v.douyin.com/xxxxx
SKILL.md:46
🔗
Medium External URL 外部 URL
https://www.douyin.com/video/123456
SKILL.md:49
🔗
Medium External URL 外部 URL
https://v.douyin.com/yyyyy
SKILL.md:61
🔗
Medium External URL 外部 URL
https://aweme.snssdk.com/aweme/v1/play/?video_id=$
lib/downloader.js:119
🔗
Medium External URL 外部 URL
https://dotenvx.com
package-lock.json:209

File Tree

7 files · 40.9 KB · 1312 lines
JSON 3f · 673L JavaScript 3f · 554L Markdown 1f · 85L
├─ 📁 lib
│ ├─ 📜 downloader.js JavaScript 156L · 4.5 KB
│ └─ 📜 parser.js JavaScript 178L · 4.7 KB
├─ 📁 scripts
│ └─ 📜 download.js JavaScript 220L · 6.0 KB
├─ 📋 _meta.json JSON 5L · 177 B
├─ 📋 package-lock.json JSON 635L · 22.2 KB
├─ 📋 package.json JSON 33L · 671 B
└─ 📝 SKILL.md Markdown 85L · 2.7 KB

Dependencies 4 items

PackageVersionSourceKnown VulnsNotes
axios ^1.6.0 npm No Version not pinned with caret
cheerio ^1.0.0-rc.12 npm No Version not pinned with caret
dotenv ^16.3.1 npm No Version not pinned with caret
playwright-chromium ^1.58.2 npm No Version not pinned with caret

Security Positives

✓ Uses child_process.spawn with array args - proper command injection prevention
✓ No base64 encoding or obfuscation detected
✓ No credential theft or environment variable harvesting
✓ No data exfiltration to external servers
✓ No reverse shell or C2 communication
✓ Validates video_id with regex: /^[a-z0-9A-Z_]+$/
✓ Properly checks downloaded file content for HTML (anti-scraping detection)