← Back to Skills Marketplace
alexliu9921

alexliutkdownload

by alexliu9921 · GitHub ↗ · v1.0.2 · MIT-0
cross-platform ⚠ suspicious
128
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install alexliutkdownload
Description
抖音无水印视频下载工具。当用户发送抖音视频链接时,自动解析并下载无水印版本,上传到云盘发给用户。 Use cases: - 用户发送抖音链接 - "下载这个视频" - "帮我保存抖音视频" - "解析抖音链接
README (SKILL.md)

抖音无水印视频下载 Skill

Trigger

当用户发送抖音视频链接时激活。

Workflow

用户发送抖音链接
  → Step 1: 调用 parse-douyin.py 解析视频
  → Step 2: 上传视频到云盘
  → Step 3: 返回下载链接给用户

Commands

Step 1: 解析并下载

source ~/.agent-reach-venv/bin/activate
python3 ~/.qclaw/workspace/skills/douyin-download/parse-douyin.py \x3C抖音链接>

支持格式:

  • https://www.douyin.com/video/1234567890123456789
  • https://v.douyin.com/xxxxx?modal_id=1234567890123456789
  • 任意包含 19 位数字视频 ID 的链接

Step 2: 上传到云盘

PORT=${AUTH_GATEWAY_PORT:-19000}
curl -s -X POST http://localhost:$PORT/proxy/qclaw-cos/upload \
  -H 'Content-Type: application/json' \
  -d '{"localPath":"\x3C视频路径>","conflictStrategy":"ask"}'

Step 3: 返回结果

直接输出云盘返回的 message 字段内容。

Example

User Input:

https://www.douyin.com/video/7611512807091178804

AI Actions:

  1. 执行解析脚本
  2. 上传到云盘
  3. 输出云盘返回的链接

Output:

✅ 视频已保存!

📎 douyin_7611512807091178804.mp4 (104.2 MB)
🔗 下载链接: https://jsonproxy.3g.qq.com/urlmapper/xxxxx

云端保留 30 天,请及时保存~

Notes

  • 视频保存在 /tmp/douyin_\x3Cvideo_id>.mp4
  • 云端保留 30 天后自动清理
  • 无需 Cookie,已验证可直接解析公开视频
Usage Guidance
Before installing, verify the following: (1) confirm you trust the local upload proxy the skill calls (http://localhost:$PORT/proxy/qclaw-cos/upload) — ask the skill author what that service is and what permissions it has; (2) confirm the environment assumptions (~/.agent-reach-venv, ~/.qclaw/workspace) match your agent runtime or adjust the SKILL.md to use relative/declared paths; (3) fix the malformed requirements.txt (it currently contains '1 requests') so dependencies can be installed as intended; (4) review parse-douyin.py to ensure it only downloads the expected video file (it does perform network fetches and writes to /tmp); (5) consider running the skill in a sandboxed environment if you are unsure about the local proxy behavior or retention of downloaded files. If the author can declare the required env var(s) and clarify the local upload service, that would reduce the concerns and could change the assessment to benign.
Capability Analysis
Type: OpenClaw Skill Name: alexliutkdownload Version: 1.0.2 The skill is designed to download Douyin videos but contains a significant shell injection vulnerability in the SKILL.md instructions. The workflow directs the AI agent to execute a shell command by directly appending user-provided input to a Python call (python3 ... <抖音链接>), which allows for arbitrary command execution if the input is not sanitized. While the parse-douyin.py script and install.sh appear to perform their stated functions without intentional malice, the lack of input sanitization in the command templates poses a high risk to the host environment.
Capability Assessment
Purpose & Capability
The code and SKILL.md match the stated purpose: parse a Douyin link, download a no-watermark MP4 to /tmp, then upload it to a cloud drive. However the skill assumes the presence of a local upload proxy (http://localhost:$PORT/proxy/qclaw-cos/upload) and a specific virtualenv and workspace path (~/.agent-reach-venv and ~/.qclaw/workspace/skills/...), none of which are declared in the skill metadata. That mismatch (undeclared local service and fixed paths) is unexpected and should be justified.
Instruction Scope
SKILL.md explicitly tells the agent to source a specific virtualenv, execute the bundled parse-douyin.py from a hard-coded path, write the downloaded file to /tmp, and then POST a JSON payload to a localhost proxy endpoint. The instructions reference an env var (AUTH_GATEWAY_PORT) and local HTTP proxy that are not declared. These instructions reach outside the skill bundle (local service, filesystem) and grant the skill the ability to cause the local proxy to read arbitrary local files — this is scope creep that should be declared and explained.
Install Mechanism
There is no external download/install spec; the included install.sh simply copies the .py and .md files into a workspace directory — low risk. requirements.txt contains a malformed line ('1 requests'), so there is no reliable declared dependency installation step; this is a packaging bug that may cause runtime failures but not evidence of malicious downloads.
Credentials
The skill metadata declares no required environment variables or credentials, yet SKILL.md uses AUTH_GATEWAY_PORT and relies on a local HTTP upload proxy. Because those runtime dependencies are not declared, the agent or user may be surprised by required local service access. The script itself does not request external credentials, but the unexplained local proxy may have its own authorization semantics — that should be disclosed.
Persistence & Privilege
The skill is user-invocable, not always-enabled, and does not request system-wide persistence. install.sh writes files into the skill workspace (~/.qclaw/...), which is normal for a skill. It does not modify other skills or system-wide configs.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install alexliutkdownload
  3. After installation, invoke the skill by name or use /alexliutkdownload
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
- Added install.sh and requirements.txt for installation and dependency management. - Improved setup experience by providing clear installation scripts.
v1.0.0
Initial release of 抖音无水印视频下载工具: - 支持用户发送抖音视频链接自动解析、下载无水印视频,并上传到云盘。 - 返回云盘下载链接,视频保留30天。 - 兼容多种抖音链接格式,无需Cookie即可解析公开视频。
Metadata
Slug alexliutkdownload
Version 1.0.2
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is alexliutkdownload?

抖音无水印视频下载工具。当用户发送抖音视频链接时,自动解析并下载无水印版本,上传到云盘发给用户。 Use cases: - 用户发送抖音链接 - "下载这个视频" - "帮我保存抖音视频" - "解析抖音链接. It is an AI Agent Skill for Claude Code / OpenClaw, with 128 downloads so far.

How do I install alexliutkdownload?

Run "/install alexliutkdownload" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is alexliutkdownload free?

Yes, alexliutkdownload is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does alexliutkdownload support?

alexliutkdownload is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created alexliutkdownload?

It is built and maintained by alexliu9921 (@alexliu9921); the current version is v1.0.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments