← 返回 Skills 市场
128
总下载
1
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install tiktok-pipeline
功能描述
TikHub API 多平台数据爬取工具,支持抖音/TikTok/B站等。当用户提到:(1) 爬取抖音/TikTok/B站视频或评论;(2) 获取用户信息/粉丝列表;(3) 批量下载无水印视频;(4) 抖音链接转文字(下载→音频→Whisper pipeline);(5) 调用 TikHub API。
安全使用建议
This skill appears to do what it says (download videos, extract audio, and transcribe using TikHub + Whisper) but check the following before installing or running it:
- API key handling: The code requires a TikHub API key but the registry metadata doesn't declare it; only supply the key if you trust TikHub and understand that calls will be made to api.tikhub.io / api.tikhub.dev and will be billed for paid endpoints.
- Background jobs & files: The skill writes downloaded media and transcript files to disk and may launch background nohup processes that log to /tmp — be prepared to manage/remove these files and processes.
- Unsafe shell invocation: The whisper_transcribe implementation uses a shell command (nohup via shell=True). If you run this on untrusted inputs or pass filenames that you don't control, there is a command-injection risk. Consider reviewing/patching the code to avoid shell=True and to safely quote/sanitize paths.
- requirements/install: requirements.txt incorrectly lists 'ffmpeg' (not a pip package); SKILL.md suggests brew install ffmpeg. Ensure dependencies are installed from appropriate sources and review pip packages (requests, openai-whisper, mlx-whisper).
- Privacy and legality: The skill downloads and transcribes content from third-party platforms; confirm you have the right to download/transcribe content and that using TikHub's paid endpoints complies with their terms.
If you are comfortable with these trade-offs and can review or sandbox the code (remove shell=True, run in an isolated environment, confirm API key storage/use), the skill is usable; otherwise treat it as risky and avoid installing on sensitive systems.
功能分析
Type: OpenClaw Skill
Name: tiktok-pipeline
Version: 1.0.0
The skill bundle provides a pipeline for downloading and transcribing videos from Douyin and TikTok via the TikHub API (api.tikhub.io). It is classified as suspicious due to a critical shell injection vulnerability in `scripts/tikhub.py` within the `whisper_transcribe` function. This function constructs a command string using unsanitized input derived from user-provided URLs and executes it via `subprocess.run(shell=True)`, allowing for arbitrary command execution. While the code appears functionally aligned with its stated purpose, this high-risk vulnerability poses a significant security threat.
能力评估
Purpose & Capability
Name/description describe a TikHub multi-platform downloader + transcription pipeline and the code (API calls, download, ffmpeg extraction, Whisper/mlx-whisper transcribe, batch CLI) implements exactly that. Endpoints and functionality align with the stated purpose.
Instruction Scope
SKILL.md and batch.py instruct the agent/user to download videos, extract audio (ffmpeg), and run Whisper/mlx-whisper. The skill writes files locally (downloads/, /tmp logs), spawns background processes (nohup) and calls external TikHub endpoints — all expected for this purpose. However instructions and code rely on subprocess shell usage (nohup via shell=True) which introduces command-injection risk if file paths/inputs are not sanitized. SKILL.md does not declare environment variables in metadata even though an API key is required at runtime (it describes how to obtain/set it).
Install Mechanism
There is no install spec (instruction-only), which is low risk, but the package includes code files and requirements.txt. The requirements file mistakenly lists 'ffmpeg' (not a pip package) while SKILL.md instructs installing ffmpeg via brew — minor inconsistency but not malicious. No downloads from unknown hosts, and network calls are limited to api.tikhub.io / api.tikhub.dev and related TikHub endpoints.
Credentials
The skill needs a TikHub API key to call paid endpoints, but the registry metadata lists no required env vars/primary credential. The code uses a module-level API_KEY and HEADERS and exposes set_api_key and CLI --api-key options; the lack of declared required credentials in metadata is an omission and reduces transparency. No unrelated credentials or broad system config access are requested.
Persistence & Privilege
The skill is not always-enabled and is user-invocable (normal). It does spawn background transcription jobs (via nohup) and writes logs to /tmp, which are persistent on the host until cleaned; this is expected for long-running transcription but worth noting. The skill does not modify other skills or system-wide agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tiktok-pipeline - 安装完成后,直接呼叫该 Skill 的名称或使用
/tiktok-pipeline触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
First release: download TikTok/Douyin videos, extract audio, AI transcribe with Apple GPU (mlx-whisper) in 20-40 seconds. Supports batch processing.
元数据
常见问题
TikTok Creator Pipeline 是什么?
TikHub API 多平台数据爬取工具,支持抖音/TikTok/B站等。当用户提到:(1) 爬取抖音/TikTok/B站视频或评论;(2) 获取用户信息/粉丝列表;(3) 批量下载无水印视频;(4) 抖音链接转文字(下载→音频→Whisper pipeline);(5) 调用 TikHub API。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 128 次。
如何安装 TikTok Creator Pipeline?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tiktok-pipeline」即可一键安装,无需额外配置。
TikTok Creator Pipeline 是免费的吗?
是的,TikTok Creator Pipeline 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
TikTok Creator Pipeline 支持哪些平台?
TikTok Creator Pipeline 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 TikTok Creator Pipeline?
由 kk.Tang(@kk-kingkong)开发并维护,当前版本 v1.0.0。
推荐 Skills