桃噗噗回复助手

抖音自动回复技能。通过浏览器自动化连接抖音创作者中心，监控评论，智能分析后自动生成积极、大方、热情、合法的回复。支持关键词匹配、敏感词过滤、评论分类、多账号管理。触发场景：用户提到"抖音自动回复"、"抖音评论回复"、"抖音客服"、"抖音智能回复"、"抖音机器人"等关键词，或明确要求在抖音平台进行自动回复操作。

This skill appears to implement the Douyin auto-reply functionality it claims, but there are practical and security concerns you should address before using it with real accounts: - Dependency & install: The package contains Node scripts that require Playwright and a Chromium browser, but the registry metadata gives no install instructions. Do not run this on your main machine until you have (a) reviewed the code, (b) installed dependencies in an isolated environment, and (c) verified what will be executed. - Sensitive local state: The skill saves browser storageState/auth-state.json and other config files locally. Those files contain session tokens/cookies that grant access to your Douyin accounts. Treat them like credentials: store them only on systems you control, and remove them if you uninstall. - Test on disposable accounts: Before pointing it at production creator accounts, run it against a test account so you can confirm behavior (reply wording, deletion rules, rate limits, sensitive-word handling). - Review automation rules and outputs: The scripts can auto-reply, skip, delete, or mark comments. Check keyword rules, sensitive_words.json, and rate_limit_config.json to ensure they match your policy and avoid accidental mass replies or policy-violating replies. - AI provider keys: If you plan to enable AI-generated replies via an external provider, supply API keys only after confirming where and how they will be used and stored (the skill doesn't declare required env vars for API keys). - Least privilege & isolation: Run the skill in an isolated environment (VM/container) if possible and limit its file-system access. Keep backups of any session files you want to keep, and rotate/revoke sessions if you stop using the skill. - Code audit: Because the bundle contains executable scripts, review the remaining (omitted) source files for any network calls to unexpected endpoints or explicit exfiltration logic before trusting this skill with real accounts. If you want, I can: (1) search the remaining files for network endpoints/HTTP requests and surface any outbound endpoints, (2) list exact dependency calls (require/import) across all files, or (3) produce a checklist of things to change in config before enabling auto-reply.

Type: OpenClaw Skill Name: recall-tao Version: 1.0.1 The 'recall-tao' skill bundle is a legitimate and well-structured automation tool for managing Douyin (TikTok China) creator accounts. It utilizes Playwright for browser automation, implementing features like comment monitoring, keyword-based filtering, and AI-integrated replies (supporting DeepSeek, OpenAI, and Claude). The scripts (e.g., browser_manager.js, rate_limiter.js, and persistence_manager.js) are modular and focused on operational stability, rate limiting, and session persistence. No evidence of data exfiltration, malicious prompt injection, or unauthorized remote execution was found; all high-risk browser and file system operations are consistent with the stated purpose of the tool.