← Back to Skills Marketplace
yjli-new

Douyin Upload Skill

by YJLi-new · GitHub ↗ · v0.1.0
cross-platform ⚠ suspicious
546
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install douyin-upload-skill
Description
Login and publish Douyin (China mainland) videos from local files with OAuth, local speech-to-text, and generated caption drafts. Use when users ask to autho...
README (SKILL.md)

Douyin Upload Skill

Overview

Use this skill to publish local videos to Douyin with a deterministic CLI flow:

  1. Validate local dependencies and env.
  2. OAuth authorize and store encrypted token locally.
  3. Prepare video metadata and transcript from local audio.
  4. Generate 3 caption candidates in chat from transcript.
  5. Confirm or edit caption, then publish.
  6. If official publish permission is unavailable, export an outbox package for manual publish.

Use the script at \x3Cskill_root>/scripts/douyin.js.

Required Environment

Set these environment variables before auth or publish:

  • DOUYIN_CLIENT_KEY
  • DOUYIN_CLIENT_SECRET
  • DOUYIN_REDIRECT_URI

Optional overrides:

  • DOUYIN_SCOPE
  • DOUYIN_TOKEN_ENC_KEY
  • DOUYIN_ASR_MODE (api / whisper-gpu / whisper-cpu)
  • DOUYIN_ASR_API_URL
  • DOUYIN_ASR_API_MODEL
  • DOUYIN_ASR_API_KEY
  • DOUYIN_WHISPER_BIN
  • DOUYIN_WHISPER_MODEL_PATH
  • DOUYIN_FFMPEG_BIN
  • DOUYIN_FFPROBE_BIN

Workflow

  1. Run dependency checks:
node \x3Cskill_root>/scripts/douyin.js doctor
  1. Authorize account (manual code paste flow):
node \x3Cskill_root>/scripts/douyin.js auth
  1. Prepare transcript and metadata from a local video path. Accept both Linux and Windows path formats.
node \x3Cskill_root>/scripts/douyin.js prepare --video "E:\\videos\\demo.mp4"
  1. Create 3 caption candidates from transcript.text with this structure:
  • Line 1: title hook
  • Line 2-3: concise description
  • Final line: 2-5 hashtags

  1. Ask user to select or edit one final caption.

  2. Publish with explicit visibility and confirmation policy:

node \x3Cskill_root>/scripts/douyin.js publish \
  --video "E:\\videos\\demo.mp4" \
  --text "\x3Cfinal caption>" \
  --private-status 0 \
  --auto-confirm false

Command Behavior

  • doctor: reports dependency and env readiness plus install hints.
  • auth: opens OAuth URL, accepts pasted callback URL or code, stores encrypted token.
  • prepare: returns metadata, transcript, and ASR failure detail (without stopping publish flow).
  • publish: uploads and creates video via official API. If permission-like API errors occur, writes fallback files under outbox and returns mode: fallback.
  • config: stores persistent settings (defaultPrivateStatus, autoConfirm, whisperBin, whisperModelPath, outboxDir, etc.).

Caption Rules

Before publish:

  • Keep final text length \x3C= 1000.
  • Always show the final draft to the user.
  • If auto-confirm is false, require explicit user confirmation in terminal.

Output Contracts

Treat script stdout as JSON. Always parse and branch by:

  • ok
  • command
  • mode (official or fallback for publish)
  • asrError (optional in prepare)
Usage Guidance
This tool appears to do what it claims (authorize Douyin, transcribe, draft captions, and publish or export a fallback package). Before installing or running it: - Expect to set DOUYIN_CLIENT_KEY, DOUYIN_CLIENT_SECRET, and DOUYIN_REDIRECT_URI — the registry metadata omits these required env vars. - If you do NOT want your audio uploaded to a cloud ASR service, set DOUYIN_ASR_MODE to whisper-gpu or whisper-cpu and ensure whisper-cli and the model are installed; otherwise the default mode ('api') will POST audio to the configured ASR API (DEFAULT_ASR_API_URL is the OpenAI transcription endpoint). - The tool writes encrypted tokens and a local key file under ~/.config/douyin-upload-skill; if you provide DOUYIN_TOKEN_ENC_KEY it will use that instead. Protect these files and review token persistence policy if you share the machine. - The fallback outbox includes source-path.txt (the original local path) and transcript/caption files — review these before copying or sharing the outbox. - If you need assurance about what external endpoints are contacted, inspect/modify config.asrApiUrl and the code; the Douyin endpoints used are https://open.douyin.com and the ASR endpoint is configurable. Given the metadata mismatch and privacy-impacting default (ASR API), proceed only after confirming environment variables and setting ASR mode to local if you require on‑device transcription.
Capability Analysis
Type: OpenClaw Skill Name: douyin-upload-skill Version: 0.1.0 The skill is classified as suspicious due to significant shell injection vulnerabilities. The `scripts/lib/config.js::validateConfigValue` function performs insufficient validation for configuration keys such as `ffmpegBin`, `ffprobeBin`, `whisperBin`, and `asrApiUrl`. These values, which can be controlled via environment variables (e.g., `DOUYIN_FFMPEG_BIN`) or the `config set` command, are later used as executable paths or arguments to `child_process.execFile` or `spawnSync('which', ...)`, or as URLs for `fetch` in `scripts/douyin.js` and `scripts/lib/media.js`. An attacker able to control these configuration values could inject arbitrary shell commands, leading to Remote Code Execution (RCE) or redirect sensitive audio data to malicious external endpoints. While the skill's stated purpose is benign, these vulnerabilities pose a high risk.
Capability Assessment
Purpose & Capability
The code and SKILL.md implement a Douyin OAuth + upload + local/third-party ASR + fallback outbox workflow that matches the skill name and description. However the registry metadata claims no required environment variables while SKILL.md and the code require DOUYIN_CLIENT_KEY, DOUYIN_CLIENT_SECRET, and DOUYIN_REDIRECT_URI (and optionally DOUYIN_ASR_API_KEY, DOUYIN_TOKEN_ENC_KEY, etc.). This metadata omission is an inconsistency you should be aware of.
Instruction Scope
Runtime instructions and the code operate on local video files, compute SHA256, extract audio, run local binaries (ffmpeg/whisper-cli) and may send audio to a configured ASR API. By default the config sets asrMode='api', and DEFAULT_ASR_API_URL is set to OpenAI's transcription endpoint — meaning audio may be uploaded to a third‑party by default unless you explicitly configure local whisper mode. The tool also writes transcript cache, outbox packages, and encrypted tokens under ~/.config/. These behaviors are consistent with the tool's functionality but are privacy-sensitive and not explicitly emphasized in the registry metadata.
Install Mechanism
There is no external install spec (no downloaded installers or remote archives); the package contains Node.js scripts. The code expects local binaries (ffmpeg, ffprobe, whisper-cli, xdg-open). This is lower risk than fetching remote executables, but it does rely on running local command-line tools.
Credentials
The environment variables requested by SKILL.md and used in code (DOUYIN_CLIENT_KEY, DOUYIN_CLIENT_SECRET, DOUYIN_REDIRECT_URI, optional DOUYIN_ASR_API_KEY, DOUYIN_TOKEN_ENC_KEY, etc.) are proportionate to a CLI that authenticates with Douyin and optionally calls an ASR API. The registry metadata incorrectly lists zero required env vars — a mismatch. Also DOUYIN_ASR_API_KEY can cause audio to be sent to a third-party if asrMode is left as 'api'.
Persistence & Privilege
The skill stores encrypted tokens and a local key file under standard per-user paths (~/.config, ~/.cache, ~/.local/share). It does not request system-wide or other skills' credentials and it does not set always:true. Token storage uses AES-256-GCM with a key derived from an env var or a local token.key file. This is expected for persistent CLI credentials but creates a persistent local artifact you should manage and protect.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install douyin-upload-skill
  3. After installation, invoke the skill by name or use /douyin-upload-skill
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial public release
Metadata
Slug douyin-upload-skill
Version 0.1.0
License
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Douyin Upload Skill?

Login and publish Douyin (China mainland) videos from local files with OAuth, local speech-to-text, and generated caption drafts. Use when users ask to autho... It is an AI Agent Skill for Claude Code / OpenClaw, with 546 downloads so far.

How do I install Douyin Upload Skill?

Run "/install douyin-upload-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Douyin Upload Skill free?

Yes, Douyin Upload Skill is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Douyin Upload Skill support?

Douyin Upload Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Douyin Upload Skill?

It is built and maintained by YJLi-new (@yjli-new); the current version is v0.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463368 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259467 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200457 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191163 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190189 · by oswalpalash

💬 Comments