← 返回 Skills 市场

alexliutkdownload

Name: alexliutkdownload
Author: alexliu9921

作者 alexliu9921 · GitHub ↗ · v1.0.2 · MIT-0

cross-platform ⚠ suspicious

128

总下载

当前安装

版本数

在 OpenClaw 中安装

/install alexliutkdownload

功能描述

抖音无水印视频下载工具。当用户发送抖音视频链接时，自动解析并下载无水印版本，上传到云盘发给用户。 Use cases: - 用户发送抖音链接 - "下载这个视频" - "帮我保存抖音视频" - "解析抖音链接

使用说明 (SKILL.md)

抖音无水印视频下载 Skill

Trigger

当用户发送抖音视频链接时激活。

Workflow

用户发送抖音链接
  → Step 1: 调用 parse-douyin.py 解析视频
  → Step 2: 上传视频到云盘
  → Step 3: 返回下载链接给用户

Commands

Step 1: 解析并下载

source ~/.agent-reach-venv/bin/activate
python3 ~/.qclaw/workspace/skills/douyin-download/parse-douyin.py \x3C抖音链接>

支持格式：

https://www.douyin.com/video/1234567890123456789
https://v.douyin.com/xxxxx?modal_id=1234567890123456789
任意包含 19 位数字视频 ID 的链接

Step 2: 上传到云盘

PORT=${AUTH_GATEWAY_PORT:-19000}
curl -s -X POST http://localhost:$PORT/proxy/qclaw-cos/upload \
  -H 'Content-Type: application/json' \
  -d '{"localPath":"\x3C视频路径>","conflictStrategy":"ask"}'

Step 3: 返回结果

直接输出云盘返回的 message 字段内容。

Example

User Input:

https://www.douyin.com/video/7611512807091178804

AI Actions:

执行解析脚本
上传到云盘
输出云盘返回的链接

Output:

✅ 视频已保存！

📎 douyin_7611512807091178804.mp4 (104.2 MB)
🔗 下载链接: https://jsonproxy.3g.qq.com/urlmapper/xxxxx

云端保留 30 天，请及时保存~

Notes

视频保存在 /tmp/douyin_\x3Cvideo_id>.mp4
云端保留 30 天后自动清理
无需 Cookie，已验证可直接解析公开视频

安全使用建议

Before installing, verify the following: (1) confirm you trust the local upload proxy the skill calls (http://localhost:$PORT/proxy/qclaw-cos/upload) — ask the skill author what that service is and what permissions it has; (2) confirm the environment assumptions (~/.agent-reach-venv, ~/.qclaw/workspace) match your agent runtime or adjust the SKILL.md to use relative/declared paths; (3) fix the malformed requirements.txt (it currently contains '1 requests') so dependencies can be installed as intended; (4) review parse-douyin.py to ensure it only downloads the expected video file (it does perform network fetches and writes to /tmp); (5) consider running the skill in a sandboxed environment if you are unsure about the local proxy behavior or retention of downloaded files. If the author can declare the required env var(s) and clarify the local upload service, that would reduce the concerns and could change the assessment to benign.

功能分析

Type: OpenClaw Skill Name: alexliutkdownload Version: 1.0.2 The skill is designed to download Douyin videos but contains a significant shell injection vulnerability in the SKILL.md instructions. The workflow directs the AI agent to execute a shell command by directly appending user-provided input to a Python call (python3 ... <抖音链接>), which allows for arbitrary command execution if the input is not sanitized. While the parse-douyin.py script and install.sh appear to perform their stated functions without intentional malice, the lack of input sanitization in the command templates poses a high risk to the host environment.

能力评估

ℹ Purpose & Capability

The code and SKILL.md match the stated purpose: parse a Douyin link, download a no-watermark MP4 to /tmp, then upload it to a cloud drive. However the skill assumes the presence of a local upload proxy (http://localhost:$PORT/proxy/qclaw-cos/upload) and a specific virtualenv and workspace path (~/.agent-reach-venv and ~/.qclaw/workspace/skills/...), none of which are declared in the skill metadata. That mismatch (undeclared local service and fixed paths) is unexpected and should be justified.

⚠ Instruction Scope

SKILL.md explicitly tells the agent to source a specific virtualenv, execute the bundled parse-douyin.py from a hard-coded path, write the downloaded file to /tmp, and then POST a JSON payload to a localhost proxy endpoint. The instructions reference an env var (AUTH_GATEWAY_PORT) and local HTTP proxy that are not declared. These instructions reach outside the skill bundle (local service, filesystem) and grant the skill the ability to cause the local proxy to read arbitrary local files — this is scope creep that should be declared and explained.

ℹ Install Mechanism

There is no external download/install spec; the included install.sh simply copies the .py and .md files into a workspace directory — low risk. requirements.txt contains a malformed line ('1 requests'), so there is no reliable declared dependency installation step; this is a packaging bug that may cause runtime failures but not evidence of malicious downloads.

⚠ Credentials

The skill metadata declares no required environment variables or credentials, yet SKILL.md uses AUTH_GATEWAY_PORT and relies on a local HTTP upload proxy. Because those runtime dependencies are not declared, the agent or user may be surprised by required local service access. The script itself does not request external credentials, but the unexplained local proxy may have its own authorization semantics — that should be disclosed.

✓ Persistence & Privilege

The skill is user-invocable, not always-enabled, and does not request system-wide persistence. install.sh writes files into the skill workspace (~/.qclaw/...), which is normal for a skill. It does not modify other skills or system-wide configs.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install alexliutkdownload
安装完成后，直接呼叫该 Skill 的名称或使用 /alexliutkdownload 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.2

- Added install.sh and requirements.txt for installation and dependency management. - Improved setup experience by providing clear installation scripts.

v1.0.0

Initial release of 抖音无水印视频下载工具: - 支持用户发送抖音视频链接自动解析、下载无水印视频，并上传到云盘。 - 返回云盘下载链接，视频保留30天。 - 兼容多种抖音链接格式，无需Cookie即可解析公开视频。

元数据

Slug alexliutkdownload

版本 1.0.2

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题