功能描述

豆包网页端媒体提取与抓包。用于：通过浏览器 Cookie 调用豆包 chat/completion、抓取 SSE 回复、提取和下载图片/视频资产、监控豆包网页生成流程并保存最终媒体 URL 与文件。适用于“继续研究豆包 skill”“把豆包生成的图片/视频拿到”“抓豆包网页请求/媒体资源”“提取豆包生成结果”等场景。

使用说明 (SKILL.md)

doubao-media

Name: Doubao Media
Author: huangm199

把这个 skill 当成两条并行路线：

API 路线：直接调用 chat/completion，适合验证 prompt、拿文本、顺便尝试从 SSE 里提取媒体 URL。
浏览器抓包路线：监听真实网页网络请求，适合最终拿到豆包产出的图片、视频、封面、下载链接。这条路通常更稳。

目录重点

当前主入口

scripts/doubao_api.js：刷新 Cookie、验证文本聊天链路
scripts/doubao_media_api.js：调用 chat/completion，提取并下载图片/视频资产
scripts/capture_doubao_media.js：监听浏览器网络流量，抓最终媒体 URL，适合视频排查

历史脚本

本地工作区保留了 scripts/legacy/ 作为逆向参考，但公开发布版本不包含这些历史文件。

推荐工作流

A. 先确认会话可用

最省事的一条命令：

npm run ready

或直接：

node doubao_api.js ready

它会自动完成：

检查本地 session
必要时尝试抓当前浏览器登录态
如果还没登录，则自动打开豆包登录页并等待登录
最后输出 available / unavailable

需要手动拆开排查时，再用：

npm run check-session
npm run login-if-needed
npm run verify-chat

逻辑是：

check-session：检查本地 ~/.doubao_chat_session.json 是否存在且仍可用
login-if-needed：如果 session 失效，则先尝试直接抓当前浏览器 Cookie；若仍不可用，会自动打开 https://www.doubao.com/ 并等待你完成登录，然后刷新本地 session
verify-chat：验证 Cookie/API 链路是否正常

默认等待登录约 120 秒。也可用：

node doubao_api.js login-if-needed --timeout-ms 180000

B. 尝试直接从 API 回复里拿媒体

node doubao_media_api.js chat "生成一张赛博朋克老虎头像"
node doubao_media_api.js chat "生成一张赛博朋克老虎头像" --download --output ./captures
npm run extract-media

输出里重点看：

assets[].bestUrl：当前最推荐直接下载的链接
assets[].variants：同一素材的其他预览/水印/原图变体
download.manifestPath：批量下载后的清单文件

如果返回 JSON 中带 assets / mediaUrls，优先走这条，最省事。

C. 真正拿图片/视频时，优先走浏览器抓包

node capture_doubao_media.js monitor --download --output ./captures
npm run capture-media

然后在已登录的浏览器里实际操作豆包：生成图片、生成视频、打开结果页、点击预览/播放/下载。

脚本会：

记录请求/响应里的可疑媒体 URL
尝试从 JSON/SSE 响应体里递归提取 URL
根据父请求与 URL 规则区分“本次生成结果”与页面噪音
可选自动下载图片/视频到输出目录
生成原始 .jsonl 清单、summary.txt，以及筛选后的 *-curated.json

适合视频链路排查：如果豆包视频不是直接在 API SSE 里给出下载地址，通常也会在网页后续请求里出现 mp4、webm、m3u8、poster、cover、play_addr 等线索。

关于稳定性

豆包网页参数、字段名、资源域名都可能变化，所以：

不要只押单一 API 字段
优先保存真实网络流量里出现的最终媒体 URL
如果 API 提取不到媒体，继续通过浏览器抓包拿资源

常见下一步

如果用户要“最终把豆包生成的图片和视频都拿到”，就按这个顺序推进：

修通 login/chat
用 doubao_media_api.js 看 SSE 里是否已暴露素材 URL
用 capture_doubao_media.js 监听真实生成过程
把抓到的 URL 归档/下载
如果确认了稳定接口，再把字段固化回脚本

注意

依赖浏览器远程调试端口 18800
需要浏览器里已经登录豆包
这是网页自动化/抓包方案，接口可能随网页更新而变化；抓真实媒体请求通常比硬编码接口更耐用

安全使用建议

This skill appears to do what it claims, but it requires sensitive access to your browser session: - It connects to a Chrome/Chromium browser via the remote debugging port (default 18800) and reads cookies via CDP. You must run the browser with --remote-debugging-port=18800 for the scripts to work. - The script writes an unencrypted session file with cookie name/value pairs to your home directory. Treat that file as sensitive: inspect it before use and delete it when no longer needed. - To reduce risk: run the tool against a dedicated browser profile or a disposable browser instance (so other logins/cookies are not exposed), or use a temporary VM/container. Avoid enabling remote debugging on your primary browser profile holding other accounts. - Be aware of platform quirks: the code uses a Windows 'start' command and process.env.USERPROFILE for the session path, while SKILL.md references ~/.doubao_chat_session.json — test behavior on your OS before trusting automation. - Review downloaded media and URLs before opening; the script will fetch arbitrary URLs discovered in network traffic. If you trust this source and follow the mitigations above (dedicated browser/profile, delete the session file after use), the tool is coherent with its purpose. If you are uncertain, ask the author for an explanation of cross-platform behavior and consider running it in an isolated environment first.

功能分析

Type: OpenClaw Skill Name: huangm-doubao-media Version: 1.0.1 The skill bundle provides tools for automating interactions with the Doubao AI platform by extracting browser cookies and monitoring network traffic via the Chrome DevTools Protocol (CDP) on port 18800 (found in `doubao_session.js` and `capture_doubao_media.js`). While these capabilities are aligned with the stated purpose of media extraction, the programmatic theft of cookies and full network interception are high-risk 'dual-use' behaviors. Additionally, `doubao_session.js` utilizes `child_process.exec` to run shell commands, and the scripts store sensitive session data in plaintext at `~/.doubao_chat_session.json`. No evidence of intentional exfiltration to unauthorized third-party domains was observed.

能力评估

✓ Purpose & Capability

Name/description match the code and SKILL.md: the scripts use Chrome DevTools Protocol to capture browser cookies and network traffic, call Doubao chat/completion, parse SSE, extract media URLs and optionally download assets. All requested actions (cookie capture, SSE parsing, network monitoring) are expected for a media-capture/harvest tool for a web service.

ℹ Instruction Scope

SKILL.md instructs the agent to check a local session, capture browser cookies via CDP, open the Doubao login page if needed, monitor network traffic and optionally download media. Those instructions are within the stated purpose but require reading browser cookies and saving them locally. There is a small mismatch: SKILL.md refers to ~/.doubao_chat_session.json while code writes/reads SESSION_FILE using process.env.USERPROFILE (Windows path), which may cause confusion on non-Windows hosts.

✓ Install Mechanism

This is an instruction-only skill with included Node.js scripts and a package.json. Dependencies are limited to chrome-remote-interface (and its normal deps). No arbitrary remote archives or obscure installers are fetched by the skill itself. package-lock.json references a mirror registry (registry.npmmirror.com) but no network installs are triggered automatically by the skill package metadata — installation would be a normal npm install by the user.

ℹ Credentials

The skill requests no environment variables or external credentials, which is consistent. However, it programmatically reads cookies from a running browser via CDP and writes them (name/value pairs) unencrypted into a session file in the user's home directory. That cookie access is necessary for the stated functionality but is sensitive: anyone with access to that session file can impersonate the browser session.

ℹ Persistence & Privilege

The skill is not forcibly persistent (always:false) and does not modify other skills. It does create a local session file (~/.doubao_chat_session.json or the Windows-based path) containing captured cookies and may open the browser (exec 'start' on Windows). Using CDP requires a browser started with a remote-debugging port (default 18800), which is an elevated debugging surface — enabling it on a primary browser can expose other site cookies if not filtered/isolated.

版本历史

v1.0.1

Clean release: removed legacy files from published package, clarified session/login workflow, and tightened public docs for safer installation review.

v1.0.0

Initial release: session-aware Doubao login flow, image/video media extraction, browser capture, and download helpers.

元数据

Slug huangm-doubao-media

版本 1.0.1

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题

Doubao Media 是什么？

豆包网页端媒体提取与抓包。用于：通过浏览器 Cookie 调用豆包 chat/completion、抓取 SSE 回复、提取和下载图片/视频资产、监控豆包网页生成流程并保存最终媒体 URL 与文件。适用于“继续研究豆包 skill”“把豆包生成的图片/视频拿到”“抓豆包网页请求/媒体资源”“提取豆包生成结果”等场景。它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 113 次。

如何安装 Doubao Media？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install huangm-doubao-media」即可一键安装，无需额外配置。

Doubao Media 是免费的吗？

是的，Doubao Media 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Doubao Media 支持哪些平台？

Doubao Media 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Doubao Media？

由 huangm199（@huangm199）开发并维护，当前版本 v1.0.1。

Doubao Media