← Back to Skills Marketplace

TikTok/Douyin 创作流水线

Name: TikTok/Douyin 创作流水线
Author: kk-kingkong

by kk.Tang · GitHub ↗ · v1.1.0 · MIT-0

cross-platform ⚠ suspicious

108

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install tikhub-douyin-pipeline

Description

TikHub API 多平台数据爬取工具，支持抖音/TikTok/B站等。当用户提到：(1) 爬取抖音/TikTok/B站视频或评论；(2) 获取用户信息/粉丝列表；(3) 批量下载无水印视频；(4) 抖音链接转文字（下载→音频→Whisper pipeline）；(5) 调用 TikHub API。

Usage Guidance

This skill appears to implement what it claims (TikHub scraping, downloading, audio extraction, Whisper/MLX-Whisper transcription). Before installing or running it: - Review how you supply the TikHub API key — avoid hardcoding keys in the file; prefer passing via set_api_key at runtime or environment variables under your control. - The code uses subprocess with shell=True to launch background Whisper jobs (nohup). If you pass filenames or URLs containing untrusted characters, that could allow command injection. Only run the skill on files/inputs you trust or sanitize paths before use. - The skill spawns background processes and writes logs to /tmp; monitor for orphaned processes or large disk usage. - requirements.txt incorrectly includes 'ffmpeg' (not a pip package). Follow SKILL.md (brew apt-get or OS package manager) to install ffmpeg and the Python dependencies (requests, openai-whisper, mlx-whisper). - Consider inspecting the full set_api_key implementation (in scripts/tikhub.py) to confirm it does not persist secrets insecurely. - Legal/terms note: scraping/downloading videos and comments may violate service terms or local laws — ensure you have permission and are within terms of service. If you need to proceed but want to reduce risk: run the code in an isolated environment (container/VM), inspect or patch the subprocess usage to avoid shell=True (use list-argument subprocess.run without shell), and validate/sanitize all filenames and URLs before passing them to shell commands.

Capability Analysis

Type: OpenClaw Skill Name: tikhub-douyin-pipeline Version: 1.1.0 The skill bundle contains a critical shell injection vulnerability in `scripts/tikhub.py` within the `whisper_transcribe` function. This function constructs a command string using unsanitized input (an `aweme_id` derived from a user-provided URL) and executes it via `subprocess.run(..., shell=True)`. An attacker could exploit this to achieve Remote Code Execution (RCE) by providing a crafted URL containing shell metacharacters. While the code appears to be a legitimate tool for the TikHub API (interacting with `api.tikhub.io` and `api.tikhub.dev`), the lack of input sanitization in a shell-executing context is a major security flaw.

Capability Assessment

✓ Purpose & Capability

Name, description, SKILL.md and code align: the package calls TikHub endpoints, downloads videos, extracts audio, and runs Whisper/MLX-Whisper transcribes. The endpoints used (api.tikhub.io / .dev) and functions implemented match the stated purpose.

⚠ Instruction Scope

SKILL.md instructs running batch.py and the full pipeline; those are coherent. However the implementation launches external tools (ffmpeg, whisper) and in one code path constructs and runs a shell command via nohup with subprocess.run(..., shell=True). That creates a command-injection risk if filenames/paths are attacker-controlled or contain special characters. The skill also writes logs to /tmp and spawns background processes, which users should be aware of.

ℹ Install Mechanism

No install spec (instruction-only with code files) — low install risk. Minor mismatch: requirements.txt lists 'ffmpeg' (which is not a Python package) while SKILL.md correctly instructs installing ffmpeg via brew; this is a packaging inaccuracy but not an overt supply-chain issue.

✓ Credentials

The skill requests no environment variables or external credentials in metadata. The code uses an API key (API_KEY global) and the SKILL.md instructs the user to obtain/set a TikHub API key — that matches purpose. No unrelated credentials or config paths are requested.

✓ Persistence & Privilege

always is false and the skill is user-invocable/autonomous-invocation remains the platform default. The skill does spawn background Whisper jobs and writes logs to /tmp, but it does not request elevated or persistent platform-wide privileges or modify other skills.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install tikhub-douyin-pipeline
After installation, invoke the skill by name or use /tikhub-douyin-pipeline
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.1.0

SKILL.md v5: 修复API调用方式(v4→v5 Client异步)、API Key从.env读取、补全抖音链接解析、全新Pipeline代码

Metadata

Slug tikhub-douyin-pipeline

Version 1.1.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is TikTok/Douyin 创作流水线?

TikHub API 多平台数据爬取工具，支持抖音/TikTok/B站等。当用户提到：(1) 爬取抖音/TikTok/B站视频或评论；(2) 获取用户信息/粉丝列表；(3) 批量下载无水印视频；(4) 抖音链接转文字（下载→音频→Whisper pipeline）；(5) 调用 TikHub API。 It is an AI Agent Skill for Claude Code / OpenClaw, with 108 downloads so far.

How do I install TikTok/Douyin 创作流水线?

Run "/install tikhub-douyin-pipeline" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is TikTok/Douyin 创作流水线 free?

Yes, TikTok/Douyin 创作流水线 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does TikTok/Douyin 创作流水线 support?

TikTok/Douyin 创作流水线 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created TikTok/Douyin 创作流水线?

It is built and maintained by kk.Tang (@kk-kingkong); the current version is v1.1.0.

More Skills