← 返回 Skills 市场
Video Crawler
作者
ly5201314gjx
· GitHub ↗
· v1.0.0
595
总下载
0
收藏
7
当前安装
1
版本数
在 OpenClaw 中安装
/install video-crawler
功能描述
Extract videos from Douyin and Twitter by providing platform and URL, outputting the downloaded video file or an error message.
安全使用建议
This skill appears to do what it says (download Douyin/X videos), but the embedded hard-coded API key in the source is a red flag. Before installing or running it: (1) ask the author why the DASHSCOPE_API_KEY exists and request its removal; (2) do not run it on machines or accounts that hold sensitive credentials; run it in an isolated sandbox/container if you must test; (3) if the key belongs to you or your org, assume it is compromised and rotate/revoke it immediately; (4) consider manually reviewing the code (or having a trusted reviewer do so) for any other hidden endpoints or secrets; and (5) prefer a version from a known, reputable source or one that does not contain embedded secrets.
功能分析
Type: OpenClaw Skill
Name: video-crawler
Version: 1.0.0
The `video_crawler.py` script is vulnerable to arbitrary file write due to the `output_file` argument being directly used in `open()` and passed to `yt-dlp` without sanitization or path restrictions. An attacker or a compromised agent could specify a sensitive system path (e.g., `/etc/passwd`, `~/.bashrc`) as the output file, leading to file corruption, denial of service, or potential privilege escalation. Additionally, an unused API key (`DASHSCOPE_API_KEY`) is hardcoded in `video_crawler.py`, which is a bad security practice, though not directly exploitable in this version. There is no evidence of intentional malicious behavior like data exfiltration or backdoor installation, nor any prompt injection attempts in `SKILL.md`.
能力评估
Purpose & Capability
Name/description, the SKILL.md, and the code align: the script uses Playwright + requests to fetch Douyin videos and yt-dlp to fetch Twitter/X videos. The declared dependencies in the README (playwright, requests, yt-dlp) are appropriate for the stated functionality. However, the code includes a hard-coded DASHSCOPE_API_KEY constant (looks like an sk-... secret) that has no role in the stated purpose — this is unexpected and unexplained.
Instruction Scope
SKILL.md gives clear, limited runtime instructions (install dependencies, run python3 video_crawler.py <platform> <url> [output]). The instructions do not ask the agent to read unrelated files or environment state. The implementation performs network requests and writes temporary files in /tmp (expected for downloading). The only scope discrepancy is that SKILL.md does not mention any API key or external service that would justify the embedded secret.
Install Mechanism
This is an instruction-only skill (no registry install spec). The README recommends pip install of third-party packages and running 'playwright install chromium' — normal for this functionality but note that pip package installation and Playwright's browser install will download and execute code from upstream package indexes/CDNs. That is expected but carries the usual supply-chain risk.
Credentials
The skill declares no required environment variables or credentials, yet the Python source contains a hard-coded constant named DASHSCOPE_API_KEY with a value that looks like an API secret (sk-...). Embedding such a secret in code is a mismatch with the declared requirements and is a sensitive risk (exposed credential or backdoor). The key is not used anywhere in the file, which suggests it may be leftover, accidentally committed, or a hidden/unneeded back channel — none of which are good signs.
Persistence & Privilege
The skill does not request persistent installation hooks, does not set always: true, and does not modify other skills or system-wide agent settings. It runs as an on-demand script and writes downloaded files to /tmp — within expected privilege for its purpose.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install video-crawler - 安装完成后,直接呼叫该 Skill 的名称或使用
/video-crawler触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of Video Crawler.
- Supports downloading videos from Douyin and Twitter via command line.
- Easy installation instructions using pip and playwright.
- Outputs either the saved file path on success or an error message on failure.
- Notes on video size and potential platform-specific download times included.
元数据
常见问题
Video Crawler 是什么?
Extract videos from Douyin and Twitter by providing platform and URL, outputting the downloaded video file or an error message. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 595 次。
如何安装 Video Crawler?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install video-crawler」即可一键安装,无需额外配置。
Video Crawler 是免费的吗?
是的,Video Crawler 完全免费(开源免费),可自由下载、安装和使用。
Video Crawler 支持哪些平台?
Video Crawler 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Video Crawler?
由 ly5201314gjx(@ly5201314gjx)开发并维护,当前版本 v1.0.0。
推荐 Skills