Skills
skills/dvcrn/openclaw-skills-marketplace/douyin-creator/Gen Agent Trust Hub

douyin-creator

Warn

Audited by Gen Agent Trust Hub on Apr 24, 2026

Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/douyin.sh is vulnerable to Python code injection. It uses shell variable interpolation inside Python heredocs to pass data to the interpreter.
  • Evidence: Subcommands such as idea, hook, script, title, tags, schedule, comment, persona, and review use patterns like niche = "$NICHE" or data = "$DATA".split(",") within a python3 << PYEOF block.
  • Vulnerability: An attacker providing an argument like \"; import os; os.system('id'); # would cause the Python interpreter to execute the injected system command instead of treating the input as data.
  • Inconsistency: Other subcommands within the same script, such as hashtag, duet, and monetize, correctly use environment variables (os.environ) to safely pass data to the Python process, indicating the author is aware of safer practices but failed to apply them consistently.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 24, 2026, 06:44 AM