Save Douyin Video To Feishu Drive

从抖音分享链接或视频页 URL 解析出可下载的视频直链、标题与描述，并可下载到本地或上传到飞书云盘。适用于需要解析抖音 URL（短链、/video/、/note/、modal_id 等）并获取真实播放地址或下载视频时使用。

This skill appears to implement the described functionality, but review before use: 1) Required tooling is understated — you need Node 18+ to run the script, and SKILL.md examples assume curl and python3; ensure these are present. 2) Do NOT store app_id/app_secret or access tokens in plaintext TOOLS.md or shared files; prefer ephemeral tokens or secure secret storage (environment variables or a secrets manager). 3) The README suggests a readonly Feishu permission (drive.metadata:readonly) which contradicts the script's upload behavior — confirm required Feishu scopes (upload needs write permissions). 4) Run the script in a sandboxed environment (or with limited privileges) the first few times and inspect network calls if possible. 5) If you need higher confidence, ask the publisher for: a homepage/source repo, explanation of Feishu scopes required, and a statement that secrets will not be logged or stored insecurely. If you proceed, avoid embedding long-lived credentials in plain files.

Type: OpenClaw Skill Name: save-douyin-video-to-feishu-drive Version: 1.0.0 The skill bundle's primary purpose is to parse Douyin video URLs, download videos, and upload them to Feishu Drive, which is a benign function. However, the `scripts/parse-douyin-video.js` file contains an arbitrary file write vulnerability. The `outputPath` argument, which can be controlled by user input or the agent, is directly used in `createWriteStream()` without sanitization. This could allow an attacker to overwrite arbitrary files on the system (e.g., `/etc/passwd` or `/root/.bashrc`) if a malicious path is provided. While there is no clear evidence of intentional data exfiltration, backdoors, or other malicious intent, this critical vulnerability makes the skill suspicious.