Douyin Video Search
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to perform the advertised Douyin search through TikHub, but users should notice that it needs a TikHub API token and sends search requests to TikHub.
Before installing, make sure you are comfortable giving this skill a TikHub API token and sending your Douyin search terms to TikHub. The code shown is consistent with the advertised search function, but the publisher should clean up debug output and improve source/dependency metadata.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can make TikHub API requests using the user's token when this skill is invoked.
The skill requires a provider API token stored in the OpenClaw config. This is purpose-aligned for TikHub API search, but it grants the skill delegated access to the user's TikHub account/API quota.
本技能需要一个有效的 TikHub API Token 才能工作。请在您的 `~/.openclaw/config.json` 文件中添加以下配置项。 ... "tikhub_api_token": "YOUR_TIKHUB_API_TOKEN"
Use a revocable TikHub token with the minimum needed scope or quota, and rotate it if you no longer trust the skill or environment.
TikHub receives the search keywords, filters, pagination values, and the API token used for the request.
The script sends the search payload and bearer-token authorization header to the TikHub API endpoint. This external provider call is disclosed and central to the skill's purpose.
TIKHUB_SEARCH_URL = "https://api.tikhub.io/api/v1/douyin/search/fetch_general_search_v1" ... resp = requests.post(TIKHUB_SEARCH_URL, json=payload, headers=headers, timeout=30)
Avoid searching highly sensitive terms unless you are comfortable sharing them with TikHub, and review TikHub's privacy and token-management practices.
The agent transcript may include extra raw response fragments or debug lines, which can clutter output or expose more provider response detail than expected.
The script prints debug status and the first 500 characters of the raw provider response on every request, even though the documentation presents raw JSON output as controlled by the --raw flag.
print(f"DEBUG: status_code={resp.status_code}")
print(f"DEBUG: response_text={resp.text[:500]}")Remove unconditional debug prints or gate them behind an explicit --debug option.
It may be harder to verify the skill's origin or reproduce the exact dependency environment if setup is done manually.
The source URL appears to be a placeholder and the dependency is unpinned. The runnable script is included and no automatic installer is shown, so this is a provenance/reproducibility note rather than a malicious indicator.
source: https://github.com/your-repo/douyin-video-search ... requirements:
- python
- "pip:requests"Publish accurate source metadata and pin or document dependency versions for more reproducible installation.