tiktok-android-720p

使用 ADB 自动化 TikTok 互动。支持 AI 智能评论（Claude/GPT-4/OpenRouter 视觉分析）、搜索话题、评论、点赞、收藏视频、发布内容。无需网页抓取，无 CAPTCHA，智能 UI 识别实现 100% 成功率。

This package implements an ADB-based TikTok bot that does what it says, but there are some red flags you should review before installing and running it: - Metadata mismatch: The registry claims no required env vars or binaries, but the skill needs adb on PATH and will ask for AI API keys if you enable AI comments. Treat the registry metadata as incomplete and rely on the README/SKILL.md and code. - Secrets handling: The interactive setup writes API keys into a local .env file in cleartext. If you supply API keys, consider using a secure secret store or removing keys after use. Inspect setup.py to see where it writes keys. - Destructive device actions: The publish workflow runs rm -f /sdcard/DCIM/Camera/*.mp4 on the connected Android device. Backup any important media on the device before running the tool and/or remove the publish/cleanup steps if you don't want deletion. - Hardcoded / absolute paths: Example scripts (run_complete_session.py, run_full_campaign.py) insert an absolute user path into sys.path (/Users/...), which looks like leftover test/configuration code. Review and remove/adjust those lines before running. - External network calls: If you enable AI mode, the skill will encode screenshots and send them to external AI endpoints (Anthropic/OpenAI/OpenRouter). This will leak screenshots/content to those services and may incur costs. Audit ai_comments.py to confirm providers and endpoints. - Running untrusted code: There is no remote install step, but these are executable Python scripts from an unknown source. If you decide to run it, do so in an isolated environment (non-production machine, container, VM) and inspect/modify the code (especially lines that delete files or call subprocess) to enforce safety. - Legal/ToS risk: Automated commenting/interaction on TikTok may violate platform terms of service and can lead to account action. Use conservative rates and avoid abusive/spammy behavior. If you want, I can: (1) point to the exact lines that delete device files and store API keys, (2) produce a minimal-safe patch that disables deletion and .env writes, or (3) list all places where network requests are made for your further review.

Type: OpenClaw Skill Name: tiktok-android-720p Version: 1.0.0 The bundle provides a TikTok automation bot using ADB and AI vision. It is classified as suspicious due to a critical shell injection vulnerability in 'tiktok_bot.py' (within the 'publish_mode' function), where a user-provided video URL is passed unsanitized into an 'adb shell curl' command. While the tool appears designed for legitimate automation, the lack of input validation combined with the requirement for sensitive LLM API keys (handled in 'setup.py' and 'src/ai_comments.py') and broad ADB device control creates a high-risk profile for potential exploitation.