← 返回 Skills 市场
108
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install tikhub-douyin-pipeline
功能描述
TikHub API 多平台数据爬取工具,支持抖音/TikTok/B站等。当用户提到:(1) 爬取抖音/TikTok/B站视频或评论;(2) 获取用户信息/粉丝列表;(3) 批量下载无水印视频;(4) 抖音链接转文字(下载→音频→Whisper pipeline);(5) 调用 TikHub API。
安全使用建议
This skill appears to implement what it claims (TikHub scraping, downloading, audio extraction, Whisper/MLX-Whisper transcription). Before installing or running it:
- Review how you supply the TikHub API key — avoid hardcoding keys in the file; prefer passing via set_api_key at runtime or environment variables under your control.
- The code uses subprocess with shell=True to launch background Whisper jobs (nohup). If you pass filenames or URLs containing untrusted characters, that could allow command injection. Only run the skill on files/inputs you trust or sanitize paths before use.
- The skill spawns background processes and writes logs to /tmp; monitor for orphaned processes or large disk usage.
- requirements.txt incorrectly includes 'ffmpeg' (not a pip package). Follow SKILL.md (brew apt-get or OS package manager) to install ffmpeg and the Python dependencies (requests, openai-whisper, mlx-whisper).
- Consider inspecting the full set_api_key implementation (in scripts/tikhub.py) to confirm it does not persist secrets insecurely.
- Legal/terms note: scraping/downloading videos and comments may violate service terms or local laws — ensure you have permission and are within terms of service.
If you need to proceed but want to reduce risk: run the code in an isolated environment (container/VM), inspect or patch the subprocess usage to avoid shell=True (use list-argument subprocess.run without shell), and validate/sanitize all filenames and URLs before passing them to shell commands.
功能分析
Type: OpenClaw Skill
Name: tikhub-douyin-pipeline
Version: 1.1.0
The skill bundle contains a critical shell injection vulnerability in `scripts/tikhub.py` within the `whisper_transcribe` function. This function constructs a command string using unsanitized input (an `aweme_id` derived from a user-provided URL) and executes it via `subprocess.run(..., shell=True)`. An attacker could exploit this to achieve Remote Code Execution (RCE) by providing a crafted URL containing shell metacharacters. While the code appears to be a legitimate tool for the TikHub API (interacting with `api.tikhub.io` and `api.tikhub.dev`), the lack of input sanitization in a shell-executing context is a major security flaw.
能力评估
Purpose & Capability
Name, description, SKILL.md and code align: the package calls TikHub endpoints, downloads videos, extracts audio, and runs Whisper/MLX-Whisper transcribes. The endpoints used (api.tikhub.io / .dev) and functions implemented match the stated purpose.
Instruction Scope
SKILL.md instructs running batch.py and the full pipeline; those are coherent. However the implementation launches external tools (ffmpeg, whisper) and in one code path constructs and runs a shell command via nohup with subprocess.run(..., shell=True). That creates a command-injection risk if filenames/paths are attacker-controlled or contain special characters. The skill also writes logs to /tmp and spawns background processes, which users should be aware of.
Install Mechanism
No install spec (instruction-only with code files) — low install risk. Minor mismatch: requirements.txt lists 'ffmpeg' (which is not a Python package) while SKILL.md correctly instructs installing ffmpeg via brew; this is a packaging inaccuracy but not an overt supply-chain issue.
Credentials
The skill requests no environment variables or external credentials in metadata. The code uses an API key (API_KEY global) and the SKILL.md instructs the user to obtain/set a TikHub API key — that matches purpose. No unrelated credentials or config paths are requested.
Persistence & Privilege
always is false and the skill is user-invocable/autonomous-invocation remains the platform default. The skill does spawn background Whisper jobs and writes logs to /tmp, but it does not request elevated or persistent platform-wide privileges or modify other skills.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tikhub-douyin-pipeline - 安装完成后,直接呼叫该 Skill 的名称或使用
/tikhub-douyin-pipeline触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
SKILL.md v5: 修复API调用方式(v4→v5 Client异步)、API Key从.env读取、补全抖音链接解析、全新Pipeline代码
元数据
常见问题
TikTok/Douyin 创作流水线 是什么?
TikHub API 多平台数据爬取工具,支持抖音/TikTok/B站等。当用户提到:(1) 爬取抖音/TikTok/B站视频或评论;(2) 获取用户信息/粉丝列表;(3) 批量下载无水印视频;(4) 抖音链接转文字(下载→音频→Whisper pipeline);(5) 调用 TikHub API。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 108 次。
如何安装 TikTok/Douyin 创作流水线?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tikhub-douyin-pipeline」即可一键安装,无需额外配置。
TikTok/Douyin 创作流水线 是免费的吗?
是的,TikTok/Douyin 创作流水线 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
TikTok/Douyin 创作流水线 支持哪些平台?
TikTok/Douyin 创作流水线 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 TikTok/Douyin 创作流水线?
由 kk.Tang(@kk-kingkong)开发并维护,当前版本 v1.1.0。
推荐 Skills