← Back to Skills Marketplace
tang2606

Tdl Download Notify

by Wade · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
91
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install tdl-download-notify
Description
TDL 下载完成后自动通过 Server 酱微信通知,包含文件名和大小信息
Usage Guidance
This skill's behavior is coherent with its stated purpose (running tdl and notifying via Server 酱), but there are several red flags you should address before installing or using it: - Hard-coded SendKey: The script contains an embedded Server 酱 SendKey and will send file names, sizes, timestamps and the download directory to sctapi.ftqq.com using that key. If you do not control that SendKey, your download metadata will be sent to someone else. Ask the author to remove the embedded key and accept a SENDKEY via environment variable or configuration file. - Metadata mismatch: The registry metadata does not declare required binaries or libraries, while SKILL.md says the script needs 'tdl' and the 'requests' Python package. Ensure tdl is installed and requests is available before running. - Default paths and privileges: The default output_dir is /root/tdl_download. Consider changing this to a user-writable path and verify the agent will not gain access to unintended files. - Data sent to third party: The notifications include file metadata. Confirm that you (or your organization) are comfortable with that metadata leaving your host and going to the Server 酱 account associated with the key. Recommended actions before installing: 1) Replace the hard-coded SENDKEY with a required environment variable (and update registry metadata to declare it). 2) Confirm/own the SendKey (or provide your own) so notifications go to an account you control. 3) Update registry metadata to declare dependencies (tdl, requests) and the expected configuration paths. 4) Run the script in a sandbox or test environment first to confirm outputs and that only expected data is transmitted. 5) If you cannot verify/control the SendKey, do not install or run this skill — it would leak download metadata to a third party. Given these issues (especially the embedded credential and metadata inconsistencies) I rate the package as suspicious rather than clearly benign; fixing the points above would move it toward benign.
Capability Analysis
Type: OpenClaw Skill Name: tdl-download-notify Version: 1.0.0 The skill contains a hardcoded ServerChan API key (sctp6765tcomfljakjcquc4e7mdaman) in both SKILL.md and tdl_download_notify.py. This configuration causes metadata about the user's downloads—including filenames, sizes, and Telegram source URLs—to be sent to the owner of that specific key at sctapi.ftqq.com. While the behavior is consistent with the stated purpose of providing notifications, hardcoding a specific credential instead of using a placeholder or environment variable results in the exfiltration of user activity data to a third party.
Capability Assessment
Purpose & Capability
The skill's stated purpose is to download Telegram content with tdl and notify via Server 酱 — the code implements exactly that. However the registry metadata lists no requirements while SKILL.md metadata declares python 'requests' and a 'tdl' binary; this mismatch suggests the package metadata is incomplete. More importantly, the script embeds a Server 酱 SendKey (sctp6765t...aman) rather than requiring the user to provide credentials, which is not proportionate to a downloader/notify helper and is unexpected for a third‑party integration.
Instruction Scope
Runtime instructions and the included script run the tdl binary, list and compare contents of a download directory, build file lists (names, sizes, modified times) and POST that information to the Server 酱 API using the embedded SendKey. Sending file metadata (file names, sizes, timestamps, directory path) to an external endpoint is effectively data exfiltration of metadata — acceptable only if the key belongs to the installer. SKILL.md also references local paths (/root/openclaw/...), but the script does not read those files; this discrepancy reduces clarity about where configuration should live.
Install Mechanism
No install spec is present (instruction-only plus a single script). That keeps disk writes limited to the included script and the tdl binary invocation; from an installation perspective this is low risk. Nothing is being downloaded/installed from arbitrary URLs by the skill.
Credentials
No required environment variables or primary credential are declared, yet the script hardcodes a Server 酱 SendKey. Best practice would be to require a SENDKEY env var (or other explicit configuration). The skill also assumes a default download directory (/root/tdl_download), which implies root paths and could cause permission/visibility issues. The number and nature of implicit credentials (embedded key) is disproportionate and undocumented in registry metadata.
Persistence & Privilege
always is false and the skill does not attempt to modify other skills or global agent settings. It will execute autonomously if the agent is allowed to invoke skills (the platform default), which is expected for this kind of helper.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install tdl-download-notify
  3. After installation, invoke the skill by name or use /tdl-download-notify
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release — Telegram resource downloads with Server酱 WeChat notifications. - Automatically sends WeChat notifications (file names and sizes) upon download completion. - Supports both successful and failed download notifications. - Tracks multiple downloaded files, providing detailed file info and statistics. - Default and customizable download directories. - Simple command-line usage plus OpenClaw integration. - Requires TDL and Server酱 configuration.
Metadata
Slug tdl-download-notify
Version 1.0.0
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Tdl Download Notify?

TDL 下载完成后自动通过 Server 酱微信通知,包含文件名和大小信息. It is an AI Agent Skill for Claude Code / OpenClaw, with 91 downloads so far.

How do I install Tdl Download Notify?

Run "/install tdl-download-notify" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Tdl Download Notify free?

Yes, Tdl Download Notify is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Tdl Download Notify support?

Tdl Download Notify is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Tdl Download Notify?

It is built and maintained by Wade (@tang2606); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments