抖音自动回复助手
v1.0.1抖音自动回复助手 - 自动回复抖音评论、发送引荐码、引导私信。使用 DouyinBot API 实现评论监控、智能回复和私信引流。适用于抖音创作者、电商卖家、知识付费从业者。
⭐ 1· 423·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name, description, docs and included scripts align with an automated Douyin comment-reply/pm tool. However, the main script (scripts/douyin_bot.py) currently contains TODO placeholders for get_comments, reply_comment and send_private_message (no real network calls implemented). references/api_docs.md shows expected API endpoints and example requests, so the package documents the intended capabilities, but the shipped code is incomplete — it will not actually call Douyin until those TODOs are implemented.
Instruction Scope
SKILL.md and QUICKSTART instruct the user to copy a browser session cookie into config.json or via the config_manager tool. That is expected for cookie-based automation, but asking users to extract and paste session cookies is sensitive: the cookie grants account access and must be kept secret. The runtime instructions and scripts operate on local files (config.json, stats.json, douyin_bot.log) and do not reference other system credentials or external endpoints beyond the documented Douyin API.
Install Mechanism
No install spec; this is an instruction-and-script package that runs locally. requirements.txt lists only requests, which matches the documented API usage. Nothing is downloaded from external/personal URLs or written to system locations during install.
Credentials
The skill requires no environment variables or external credentials in metadata; it uses a douyin_cookie stored in a local config file, which is proportionate to the stated purpose. The number and type of required secrets (just a session cookie) are appropriate for a cookie-authenticated client. Note: session cookies are sensitive and can be abused if exposed.
Persistence & Privilege
The skill does not request persistent elevated privileges, does not set always:true, and does not modify other skills or system-wide agent settings. It is user-invocable and can be run locally on demand.
Assessment
This package is internally coherent for a Douyin auto-reply tool, but review and consider the following before installing or running:
- Sensitive credential: the tool requires your Douyin session cookie (copied from your browser). Treat it like a password — do not share it, do not upload config.json to untrusted hosts, and store backups securely.
- Incomplete implementation: the main script has TODOs for the actual API calls (get_comments, reply_comment, send_private_message). By default it will not perform network operations until those functions are implemented. Verify any added network code before running.
- Run locally and inspect code: run in a controlled environment, read/understand the code that will call Douyin APIs, and confirm there are no hidden network endpoints or telemetry you don't expect.
- Account risk: automated replies can trigger platform enforcement. Use conservative rate limits/delays and prefer testing on a secondary account first.
- Dependencies: the package expects Python and the requests library; install only from trusted sources (pip install requests).
If you want higher assurance, ask the developer for a version where the API calls are implemented and peer-reviewed, or request a signed/source-controlled release (e.g., GitHub repo) so you can verify changes over time.Like a lobster shell, security has layers — review code before you run it.
latestvk97cv0dwkq3r3p8emsj26fj6c981yg3a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.