Douyin Transcribe

全自动抖音视频下载 + 语音转文字管道。当用户发送抖音链接并要求转写文字、提取字幕、语音转文本时使用。触发词包括"抖音转写"、"抖音文字"、"抖音转文本"、"抖音字幕"、"douyin transcribe"。

This skill appears to implement the stated Douyin→audio→local-ASR pipeline, but there are several things to check before installing or running it: 1) The Node script uses a non-standard import path (/tmp/puppeteer_test/node_modules/puppeteer-core) and expects Chrome at /usr/bin/google-chrome; verify these paths or adjust the script to use your system's Node/pupeteer and Chrome. 2) The script navigates to an external parser site (hellotik.app) and intercepts network traffic to find CDN URLs — this is necessary for the task but means the code loads third-party web content during execution. 3) feishu_upload.py references FEISHU_APP_TOKEN and FEISHU_TOKEN (environment variables) in a placeholder; the SKILL metadata does not declare these. If you plan to use Feishu upload, confirm what credentials are actually required and do not expose broad tokens to untrusted code. 4) The skill instructs installing a global npm ASR CLI and downloading a model from GitHub — these network downloads and global installs should be performed in a controlled environment (container or VM) if you are concerned about supply-chain or permission issues. 5) The Node launch uses Chrome flags like --no-sandbox; running headless Chrome without a sandbox has security implications — prefer running in a sandboxed container. If these oddities (hardcoded paths, undeclared env vars, external site dependency) are acceptable and you review the scripts locally before running, the risk is moderate; otherwise treat the skill as untrusted and run it in isolation or decline to install.

Type: OpenClaw Skill Name: xiaofei-ziyong-douyin-transcribe Version: 1.0.1 The skill bundle contains significant shell injection vulnerabilities in `transcribe.py` and `feishu_upload.py` due to the use of `subprocess.run(shell=True)` with unsanitized inputs (e.g., the `--url` parameter). While the stated purpose of downloading and transcribing Douyin videos appears legitimate, the implementation uses risky patterns like executing multi-line Python strings via shell commands and hardcoding specific Feishu folder/space IDs. The `feishu_upload.py` script is currently a stub that prints 'SKIP' but contains logic structures that could be easily modified for data exfiltration if the application credentials were provided.