TikHub API 工具(KK版)

TikHub API 多平台数据爬取工具，支持抖音/TikTok/B站等。当用户提到：(1) 爬取抖音/TikTok/B站视频或评论；(2) 获取用户信息/粉丝列表；(3) 批量下载无水印视频；(4) 抖音链接转文字（下载→音频→Whisper pipeline）；(5) 调用 TikHub API。

What to check before installing/using: - Confirm how you will provide the TikHub API key. The code expects TIKHUB_API_KEY (env or ~/.openclaw/workspace/.env), but the skill metadata does not declare it — supply the key via environment variables rather than leaving a plaintext .env in your home if possible. - Inspect SKILL.md and scripts for hard-coded paths. There is an example that opens '/Users/kk/.openclaw/workspace/.env' — likely leftover from the author; ensure no unwanted absolute paths are present or being used on your system. - Be aware the skill will download video files to disk and invoke ffmpeg and Whisper (CPU/GPU). Ensure you have the disk, compute capacity, and have installed the required tooling yourself (ffmpeg, whisper packages). requirements.txt lists ffmpeg (not a pip package) and multiple whisper packages — pick the ones you trust and need. - The skill relies on an external MCP (mcporter) server configuration referenced in ~/.openclaw/workspace/config/mcporter.json. If you don't run or trust that server, avoid executing MCP commands; the fallback Python SDK uses the TikHub API directly. - Network destinations: the skill talks to api.tikhub.dev and to the video host URLs it fetches — expected for this functionality. Confirm you are comfortable with calls to those endpoints and potential billing/usage (SKILL.md warns about a small balance and that some endpoints are paid). - Legal/ToS: scraping/downloading platform content may violate service terms or copyrights. Ensure you have the right to download/transcribe the content you target. If you want higher confidence, ask the author to: (1) update registry metadata to declare TIKHUB_API_KEY as a required env var, (2) remove or parameterize hard-coded user paths, and (3) provide clarity about MCP dependency and whether mcporter servers are remote/shared.

Type: OpenClaw Skill Name: tikhub-api-skill-kk Version: 1.1.0 The skill bundle contains a shell injection vulnerability in `scripts/tikhub.py` within the `whisper_transcribe` function, which uses `subprocess.run(..., shell=True)` on a command string constructed from potentially unsanitized video IDs or URLs. Additionally, the bundle includes logic in `scripts/tikhub.py` and instructions in `SKILL.md` to programmatically read sensitive API keys from the local environment file (`~/.openclaw/workspace/.env`). While these represent significant security risks (RCE and credential access), they appear to be unintentional flaws or functional requirements of the tool's stated purpose—social media data extraction—rather than intentional malware.