douyin-video-download 安全扫描报告 — 低风险 | ClawSafe

20 /100

douyin-video-download

抖音视频批量下载工具 - 支持单视频、批量下载、自动去重、无水印下载

Legitimate video downloader with secure shell execution practices, but suffers from unpinned dependencies and incomplete documentation disclosure.

技能名称douyin-video-download

分析耗时32.6s

引擎pi

✓

可以安装

Pin all dependency versions in package.json to prevent supply chain attacks, and document all dependencies (dotenv, Playwright) in SKILL.md.

安全发现 2 项

严重性	安全发现	位置
中危	Unpinned dependencies in package.json 供应链 All npm dependencies use caret (^) versioning which allows automatic minor/patch updates without review. This could enable supply chain attacks if a package maintainer's account is compromised. `"axios": "^1.6.0", "cheerio": "^1.0.0-rc.12", "dotenv": "^16.3.1", "playwright-chromium": "^1.58.2"` → Pin versions without caret: "axios": "1.6.0", "cheerio": "1.0.0-rc.12", etc.	`package.json:17`
低危	Undocumented dependencies 文档欺骗 SKILL.md mentions yt-dlp but does not mention dotenv or playwright-chromium which are critical runtime dependencies. dotenv loads .env files, playwright-chromium handles browser automation. `SKILL.md installation section only mentions npm install and playwright install chromium, missing dotenv` → Document all runtime dependencies in SKILL.md	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	lib/parser.js:1 - playwright-chromium, lib/downloader.js:1 - curl/yt-dlp
文件系统	`WRITE`	`WRITE`	✓ 一致	lib/downloader.js:16-20 - fs.mkdirSync, fs.writeFileSync pattern
命令执行	`WRITE`	`WRITE`	✓ 一致	lib/downloader.js:44-75 - uses spawn with args array, proper injection preventio…

5 项发现

🔗

中危外部 URL 外部 URL

https://v.douyin.com/xxxxx

SKILL.md:46

🔗

中危外部 URL 外部 URL

https://www.douyin.com/video/123456

SKILL.md:49

🔗

中危外部 URL 外部 URL

https://v.douyin.com/yyyyy

SKILL.md:61

🔗

中危外部 URL 外部 URL

https://aweme.snssdk.com/aweme/v1/play/?video_id=$

lib/downloader.js:119

🔗

中危外部 URL 外部 URL

https://dotenvx.com

package-lock.json:209

目录结构

7 文件 · 40.9 KB · 1312 行

JSON 3f · 673L JavaScript 3f · 554L Markdown 1f · 85L

├─ ▾ 📁 lib

│ ├─ 📜 downloader.js JavaScript 156L · 4.5 KB

│ └─ 📜 parser.js JavaScript 178L · 4.7 KB

├─ ▾ 📁 scripts

│ └─ 📜 download.js JavaScript 220L · 6.0 KB

├─ 📋 _meta.json JSON 5L · 177 B

├─ 📋 package-lock.json JSON 635L · 22.2 KB

├─ 📋 package.json JSON 33L · 671 B

└─ 📝 SKILL.md Markdown 85L · 2.7 KB

依赖分析 4 项

包名	版本	来源	已知漏洞	备注
`axios`	`^1.6.0`	npm	否	Version not pinned with caret
`cheerio`	`^1.0.0-rc.12`	npm	否	Version not pinned with caret
`dotenv`	`^16.3.1`	npm	否	Version not pinned with caret
`playwright-chromium`	`^1.58.2`	npm	否	Version not pinned with caret

安全亮点

✓ Uses child_process.spawn with array args - proper command injection prevention

✓ No base64 encoding or obfuscation detected

✓ No credential theft or environment variable harvesting

✓ No data exfiltration to external servers

✓ No reverse shell or C2 communication

✓ Validates video_id with regex: /^[a-z0-9A-Z_]+$/

✓ Properly checks downloaded file content for HTML (anti-scraping detection)