doubao-media Security Report — Trusted | ClawSafe

5 /100

doubao-media

豆包网页端媒体提取与抓包工具

Legitimate Doubao media extraction tool with properly scoped capabilities and no malicious indicators.

Skill Namedoubao-media

Duration32.7s

Enginepi

✓

Safe to install

This skill is safe to use. All functionality aligns with declared behavior in SKILL.md.

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	HTTPS requests to www.doubao.com for API calls and media downloads
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Writes session file (~/.doubao_chat_session.json) and downloads media to capture…
Shell	`WRITE`	`WRITE`	✓ Aligned	exec('start') used only for opening login page in doubao_session.js:45
Browser	`READ`	`READ`	✓ Aligned	CDP port 18800 for cookie extraction and network monitoring

1 Critical 7 findings

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

Buffer.from(text, 'base64'

scripts/capture_doubao_media.js:370

🔗

Medium External URL 外部 URL

https://www.doubao.com/

SKILL.md:59

🔗

Medium External URL 外部 URL

https://www.doubao.com

scripts/doubao_api.js:78

🔗

Medium External URL 外部 URL

https://www.doubao.com/chat/

scripts/doubao_api.js:79

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/chrome-remote-interface/-/chrome-remote-interface-0.33.3.tgz

scripts/package-lock.json:17

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/commander/-/commander-2.11.0.tgz

scripts/package-lock.json:30

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ws/-/ws-7.5.10.tgz

scripts/package-lock.json:36

File Tree

7 files · 41.4 KB · 1274 lines

JavaScript 4f · 1066L Markdown 1f · 125L JSON 2f · 83L

├─ ▾ 📁 scripts

│ ├─ 📜 capture_doubao_media.js JavaScript 394L · 13.8 KB

│ ├─ 📜 doubao_api.js JavaScript 156L · 5.0 KB

│ ├─ 📜 doubao_media_api.js JavaScript 260L · 8.6 KB

│ ├─ 📜 doubao_session.js JavaScript 256L · 7.3 KB

│ ├─ 📋 package-lock.json JSON 55L · 1.6 KB

│ └─ 📋 package.json JSON 28L · 891 B

└─ 📝 SKILL.md Markdown 125L · 4.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`chrome-remote-interface`	`^0.33.3`	npm	No	Version pinned with caret range

Security Positives

✓ All network requests target exclusively Doubao infrastructure (www.doubao.com, bytedance, douyin domains)

✓ The base64 decoding at capture_doubao_media.js:370 is legitimate CDP response handling, not obfuscation

✓ Session cookies stored locally only, used only for API authentication with Doubao

✓ File operations scoped to session management and media download - no sensitive path access

✓ Dependencies (chrome-remote-interface) are versioned and from trusted npm registry

✓ SKILL.md documentation accurately reflects implementation capabilities

✓ No credential exfiltration, data theft, or C2 communication patterns detected

Scan Report

File Tree

Dependencies 1 items

Security Positives