← 返回 Skills 市场
tikhub-api-skill
作者
liangdabiao
· GitHub ↗
· v1.0.0
387
总下载
1
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install tikhub-api-skill
功能描述
Search and query TikHub APIs for TikTok, Douyin, Xiaohongshu, Lemon8, Instagram, YouTube, Twitter, Reddit, and more. Use when user asks about needs to fetch...
安全使用建议
What to consider before installing:
- Do not assume the embedded DEFAULT_TOKEN is safe: api_client.py contains a hard-coded token which will be used if you don't supply your own — this can mean actions run under someone else's account or incur charges. Replace or remove the DEFAULT_TOKEN and use your own TIKHUB_TOKEN.
- SKILL.md recommends setting TIKHUB_TOKEN, but the CLI does not read that environment variable; confirm the implementation will use your token (or modify the code to read os.environ['TIKHUB_TOKEN']). Ask the author to fix this mismatch.
- The README contains prompt-injection-like patterns (base64 and unicode control characters). Open SKILL.md in a plain text editor, search for non-printable characters or encoded blocks, and remove/verify anything suspicious.
- Review openapi.json (it's large) to ensure it doesn't contain unexpected endpoints or sensitive-sounding functionality you don't want (e.g., services that bypass captchas or send emails).
- If you plan to use the API, create and use your own TikHub API key from your account (do not rely on the shipped DEFAULT_TOKEN).
- When in doubt, ask the publisher for provenance (who published this skill) and for a version that does not include hard-coded credentials or hidden characters.
- If you cannot validate these points, avoid running the packaged scripts against the network or sanitize the code first (remove DEFAULT_TOKEN, add explicit env-var reading, and remove suspicious characters).
功能分析
Type: OpenClaw Skill
Name: tikhub-api-skill
Version: 1.0.0
The TikHub API skill bundle is a legitimate tool designed to help users search and interact with social media data APIs. The code consists of a search utility (api_searcher.py) for exploring API endpoints and a client (api_client.py) for making HTTP requests to the TikHub service. It uses standard Python libraries, includes clear documentation for the AI agent, and lacks any indicators of malicious intent, data exfiltration, or unauthorized execution. The inclusion of a default development token and specific path-handling logic for Windows environments are functional features aligned with the stated purpose of the skill.
能力评估
Purpose & Capability
Name, description, and included code (api_searcher.py, api_client.py, openapi.json) match the stated purpose of helping search and call TikHub APIs. However, the skill metadata lists no required env vars while SKILL.md instructs users to set TIKHUB_TOKEN; the client code embeds a DEFAULT_TOKEN constant (hard-coded credential) and the CLI in main() does not read TIKHUB_TOKEN from the environment. This mismatch is unexplained and worth verifying.
Instruction Scope
SKILL.md stays within the API-helper scope for the most part (search, list, call APIs). But the provided SKILL.md contains prompt-injection signals (base64-block and unicode-control-chars) detected by the scanner, which is unexpected for a normal README and could be an attempt to obfuscate instructions or add hidden content. Also SKILL.md tells users to set TIKHUB_TOKEN, yet the CLI implementation does not read that environment variable — a behavioural mismatch that may cause confusing or unsafe use (e.g., the embedded DEFAULT_TOKEN will be used instead).
Install Mechanism
No install spec — instruction-only plus shipped code files. Nothing is downloaded or executed during installation by a package manager; the contained Python scripts will simply exist on disk. This is low-risk from an installer standpoint, but files will be present locally.
Credentials
Metadata declares no required credentials, but SKILL.md asks users to set TIKHUB_TOKEN and api_client.py contains a DEFAULT_TOKEN string baked into the source. A hard-coded token in distributed code is a red flag: it may be a leaked/privileged credential (causing billing or access through someone else's account) or a backdoor. The skill otherwise does not request unrelated credentials, so the concern is specifically the unexplained embedded token and the mismatch around env var usage.
Persistence & Privilege
The skill does not request always:true and is user-invocable only; it does not attempt to modify system config or other skills. There is no elevated persistence or privileged system presence requested.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tikhub-api-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/tikhub-api-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
tikhub-api-skill v1.0.0
- Initial release of the tikhub-api-helper skill.
- Enables searching and querying TikHub API endpoints for multiple social media platforms.
- Includes scripts for API discovery (`api_searcher.py`) and making HTTP requests (`api_client.py`).
- Supports both English and Chinese queries.
- Covers major platforms like TikTok, Douyin, Instagram, YouTube, Twitter, Reddit, and more.
- Provides guidance on authentication, platform selection, rate limits, and common error handling.
元数据
常见问题
tikhub-api-skill 是什么?
Search and query TikHub APIs for TikTok, Douyin, Xiaohongshu, Lemon8, Instagram, YouTube, Twitter, Reddit, and more. Use when user asks about needs to fetch... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 387 次。
如何安装 tikhub-api-skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tikhub-api-skill」即可一键安装,无需额外配置。
tikhub-api-skill 是免费的吗?
是的,tikhub-api-skill 完全免费(开源免费),可自由下载、安装和使用。
tikhub-api-skill 支持哪些平台?
tikhub-api-skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 tikhub-api-skill?
由 liangdabiao(@liangdabiao)开发并维护,当前版本 v1.0.0。
推荐 Skills