Is kamiender/douyin-video-fetch safe?

https://github.com/openclaw/skills/tree/main/skills/kamiender/douyin-video-fetch

90
SAFE

douyin-video-fetch is a functionally legitimate Python skill for downloading Douyin videos using Playwright browser automation. No prompt injection, credential theft, exfiltration, or malicious installation behavior was detected, and all canary honeypots remain intact. The primary concerns are non-security in nature: the skill is architecturally designed to bypass Douyin watermarks and enable content replication workflows, which raises ToS and copyright risks; the Playwright dependency also introduces a heavyweight execution surface (full Chromium browser) that accepts arbitrary URLs without domain restriction.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (7)

MEDIUM Headless Chromium browser with permissive script execution -22

The skill spawns a full Playwright/Chromium browser instance that executes JavaScript from the target page. The route handler blocks images, fonts, and stylesheets but allows all script resources to execute. While needed for WAF bypass on Douyin, this means attacker-controlled pages could run JS in the browser context if a malicious URL is provided as input.

MEDIUM Watermark-bypass design targets ToS-restricted content -20

The skill explicitly prioritizes 'watermark-free' (无水印) video downloads and is designed as part of a video replication pipeline. This constitutes Terms of Service violation against Douyin and likely copyright infringement of creator content.

LOW No domain allowlist for URL inputs -8

The normalize_input_to_url function passes through any http/https URL unchanged. A crafted --file input or direct argument could direct the Playwright browser to non-Douyin hosts, including internal network addresses. The download phase only proceeds against CDN-extracted video URLs, limiting actual exfiltration risk.

LOW Chinese-language skill reduces audit transparency -5

SKILL.md is written entirely in Simplified Chinese, which may hinder review by non-Chinese-speaking users or automated auditors. The content is benign on inspection, but language opacity is a minor trust-reduction factor.

LOW Batch download mode enables large-scale scraping -8

The --file argument accepts a newline-delimited list of URLs or video IDs, enabling bulk scraping. If an agent is directed to process a large list, this could result in significant bandwidth usage, account fingerprinting, and IP-based blocking.

INFO Clean installation with no unexpected process or network activity 0

Installation cloned from the expected github.com/openclaw/skills monorepo using sparse checkout. No post-install hooks executed, no unexpected processes spawned, no connections to non-GitHub infrastructure attributable to the skill.

INFO All honeypot files intact — no credential access by skill 0

PATH audit events for canary files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) are timestamped to the oathe pre-scan and post-scan operations, not to any skill code execution.