← 返回 Skills 市场

Douyin Upload Skill

Name: Douyin Upload Skill
Author: yjli-new

作者 YJLi-new · GitHub ↗ · v0.1.0

cross-platform ⚠ suspicious

546

总下载

当前安装

版本数

在 OpenClaw 中安装

/install douyin-upload-skill

功能描述

Login and publish Douyin (China mainland) videos from local files with OAuth, local speech-to-text, and generated caption drafts. Use when users ask to autho...

使用说明 (SKILL.md)

Douyin Upload Skill

Overview

Use this skill to publish local videos to Douyin with a deterministic CLI flow:

Validate local dependencies and env.
OAuth authorize and store encrypted token locally.
Prepare video metadata and transcript from local audio.
Generate 3 caption candidates in chat from transcript.
Confirm or edit caption, then publish.
If official publish permission is unavailable, export an outbox package for manual publish.

Use the script at \x3Cskill_root>/scripts/douyin.js.

Required Environment

Set these environment variables before auth or publish:

DOUYIN_CLIENT_KEY
DOUYIN_CLIENT_SECRET
DOUYIN_REDIRECT_URI

Optional overrides:

DOUYIN_SCOPE
DOUYIN_TOKEN_ENC_KEY
DOUYIN_ASR_MODE (api / whisper-gpu / whisper-cpu)
DOUYIN_ASR_API_URL
DOUYIN_ASR_API_MODEL
DOUYIN_ASR_API_KEY
DOUYIN_WHISPER_BIN
DOUYIN_WHISPER_MODEL_PATH
DOUYIN_FFMPEG_BIN
DOUYIN_FFPROBE_BIN

Workflow

Run dependency checks:

node \x3Cskill_root>/scripts/douyin.js doctor

Authorize account (manual code paste flow):

node \x3Cskill_root>/scripts/douyin.js auth

Prepare transcript and metadata from a local video path. Accept both Linux and Windows path formats.

node \x3Cskill_root>/scripts/douyin.js prepare --video "E:\\videos\\demo.mp4"

Create 3 caption candidates from transcript.text with this structure:

Line 1: title hook
Line 2-3: concise description
Final line: 2-5 hashtags

Ask user to select or edit one final caption.
Publish with explicit visibility and confirmation policy:

node \x3Cskill_root>/scripts/douyin.js publish \
  --video "E:\\videos\\demo.mp4" \
  --text "\x3Cfinal caption>" \
  --private-status 0 \
  --auto-confirm false

Command Behavior

doctor: reports dependency and env readiness plus install hints.
auth: opens OAuth URL, accepts pasted callback URL or code, stores encrypted token.
prepare: returns metadata, transcript, and ASR failure detail (without stopping publish flow).
publish: uploads and creates video via official API. If permission-like API errors occur, writes fallback files under outbox and returns mode: fallback.
config: stores persistent settings (defaultPrivateStatus, autoConfirm, whisperBin, whisperModelPath, outboxDir, etc.).

Caption Rules

Before publish:

Keep final text length \x3C= 1000.
Always show the final draft to the user.
If auto-confirm is false, require explicit user confirmation in terminal.

Output Contracts

Treat script stdout as JSON. Always parse and branch by:

ok
command
mode (official or fallback for publish)
asrError (optional in prepare)

安全使用建议

This tool appears to do what it claims (authorize Douyin, transcribe, draft captions, and publish or export a fallback package). Before installing or running it: - Expect to set DOUYIN_CLIENT_KEY, DOUYIN_CLIENT_SECRET, and DOUYIN_REDIRECT_URI — the registry metadata omits these required env vars. - If you do NOT want your audio uploaded to a cloud ASR service, set DOUYIN_ASR_MODE to whisper-gpu or whisper-cpu and ensure whisper-cli and the model are installed; otherwise the default mode ('api') will POST audio to the configured ASR API (DEFAULT_ASR_API_URL is the OpenAI transcription endpoint). - The tool writes encrypted tokens and a local key file under ~/.config/douyin-upload-skill; if you provide DOUYIN_TOKEN_ENC_KEY it will use that instead. Protect these files and review token persistence policy if you share the machine. - The fallback outbox includes source-path.txt (the original local path) and transcript/caption files — review these before copying or sharing the outbox. - If you need assurance about what external endpoints are contacted, inspect/modify config.asrApiUrl and the code; the Douyin endpoints used are https://open.douyin.com and the ASR endpoint is configurable. Given the metadata mismatch and privacy-impacting default (ASR API), proceed only after confirming environment variables and setting ASR mode to local if you require on‑device transcription.

功能分析

Type: OpenClaw Skill Name: douyin-upload-skill Version: 0.1.0 The skill is classified as suspicious due to significant shell injection vulnerabilities. The `scripts/lib/config.js::validateConfigValue` function performs insufficient validation for configuration keys such as `ffmpegBin`, `ffprobeBin`, `whisperBin`, and `asrApiUrl`. These values, which can be controlled via environment variables (e.g., `DOUYIN_FFMPEG_BIN`) or the `config set` command, are later used as executable paths or arguments to `child_process.execFile` or `spawnSync('which', ...)`, or as URLs for `fetch` in `scripts/douyin.js` and `scripts/lib/media.js`. An attacker able to control these configuration values could inject arbitrary shell commands, leading to Remote Code Execution (RCE) or redirect sensitive audio data to malicious external endpoints. While the skill's stated purpose is benign, these vulnerabilities pose a high risk.

能力评估

ℹ Purpose & Capability

The code and SKILL.md implement a Douyin OAuth + upload + local/third-party ASR + fallback outbox workflow that matches the skill name and description. However the registry metadata claims no required environment variables while SKILL.md and the code require DOUYIN_CLIENT_KEY, DOUYIN_CLIENT_SECRET, and DOUYIN_REDIRECT_URI (and optionally DOUYIN_ASR_API_KEY, DOUYIN_TOKEN_ENC_KEY, etc.). This metadata omission is an inconsistency you should be aware of.

⚠ Instruction Scope

Runtime instructions and the code operate on local video files, compute SHA256, extract audio, run local binaries (ffmpeg/whisper-cli) and may send audio to a configured ASR API. By default the config sets asrMode='api', and DEFAULT_ASR_API_URL is set to OpenAI's transcription endpoint — meaning audio may be uploaded to a third‑party by default unless you explicitly configure local whisper mode. The tool also writes transcript cache, outbox packages, and encrypted tokens under ~/.config/. These behaviors are consistent with the tool's functionality but are privacy-sensitive and not explicitly emphasized in the registry metadata.

✓ Install Mechanism

There is no external install spec (no downloaded installers or remote archives); the package contains Node.js scripts. The code expects local binaries (ffmpeg, ffprobe, whisper-cli, xdg-open). This is lower risk than fetching remote executables, but it does rely on running local command-line tools.

ℹ Credentials

The environment variables requested by SKILL.md and used in code (DOUYIN_CLIENT_KEY, DOUYIN_CLIENT_SECRET, DOUYIN_REDIRECT_URI, optional DOUYIN_ASR_API_KEY, DOUYIN_TOKEN_ENC_KEY, etc.) are proportionate to a CLI that authenticates with Douyin and optionally calls an ASR API. The registry metadata incorrectly lists zero required env vars — a mismatch. Also DOUYIN_ASR_API_KEY can cause audio to be sent to a third-party if asrMode is left as 'api'.

✓ Persistence & Privilege

The skill stores encrypted tokens and a local key file under standard per-user paths (~/.config, ~/.cache, ~/.local/share). It does not request system-wide or other skills' credentials and it does not set always:true. Token storage uses AES-256-GCM with a key derived from an env var or a local token.key file. This is expected for persistent CLI credentials but creates a persistent local artifact you should manage and protect.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install douyin-upload-skill
安装完成后，直接呼叫该 Skill 的名称或使用 /douyin-upload-skill 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.0

Initial public release

元数据

Slug douyin-upload-skill

版本 0.1.0

许可证 —

累计安装 1

当前安装数 1

历史版本数 1

常见问题