tikhub-api-skill

v1.0.0

Search and query TikHub APIs for TikTok, Douyin, Xiaohongshu, Lemon8, Instagram, YouTube, Twitter, Reddit, and more. Use when user asks about needs to fetch...

⭐ 1· 362·2 current·3 all-time

by@liangdabiao

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

Name, description, and included code (api_searcher.py, api_client.py, openapi.json) match the stated purpose of helping search and call TikHub APIs. However, the skill metadata lists no required env vars while SKILL.md instructs users to set TIKHUB_TOKEN; the client code embeds a DEFAULT_TOKEN constant (hard-coded credential) and the CLI in main() does not read TIKHUB_TOKEN from the environment. This mismatch is unexplained and worth verifying.

Instruction Scope

SKILL.md stays within the API-helper scope for the most part (search, list, call APIs). But the provided SKILL.md contains prompt-injection signals (base64-block and unicode-control-chars) detected by the scanner, which is unexpected for a normal README and could be an attempt to obfuscate instructions or add hidden content. Also SKILL.md tells users to set TIKHUB_TOKEN, yet the CLI implementation does not read that environment variable — a behavioural mismatch that may cause confusing or unsafe use (e.g., the embedded DEFAULT_TOKEN will be used instead).

✓

Install Mechanism

No install spec — instruction-only plus shipped code files. Nothing is downloaded or executed during installation by a package manager; the contained Python scripts will simply exist on disk. This is low-risk from an installer standpoint, but files will be present locally.

Credentials

Metadata declares no required credentials, but SKILL.md asks users to set TIKHUB_TOKEN and api_client.py contains a DEFAULT_TOKEN string baked into the source. A hard-coded token in distributed code is a red flag: it may be a leaked/privileged credential (causing billing or access through someone else's account) or a backdoor. The skill otherwise does not request unrelated credentials, so the concern is specifically the unexplained embedded token and the mismatch around env var usage.

✓

Persistence & Privilege

The skill does not request always:true and is user-invocable only; it does not attempt to modify system config or other skills. There is no elevated persistence or privileged system presence requested.

Scan Findings in Context

[base64-block] unexpected: A base64 block detection was found in SKILL.md. A plain API helper README normally wouldn't contain base64 payloads; this can indicate hidden/obfuscated instructions or content. Inspect SKILL.md for hidden characters or encoded payloads before trusting it.

[unicode-control-chars] unexpected: Unicode control characters were detected in SKILL.md. These are commonly used to hide or manipulate rendered text (prompt-injection/obfuscation). This is unexpected in normal documentation and should be examined.

What to consider before installing

What to consider before installing: - Do not assume the embedded DEFAULT_TOKEN is safe: api_client.py contains a hard-coded token which will be used if you don't supply your own — this can mean actions run under someone else's account or incur charges. Replace or remove the DEFAULT_TOKEN and use your own TIKHUB_TOKEN. - SKILL.md recommends setting TIKHUB_TOKEN, but the CLI does not read that environment variable; confirm the implementation will use your token (or modify the code to read os.environ['TIKHUB_TOKEN']). Ask the author to fix this mismatch. - The README contains prompt-injection-like patterns (base64 and unicode control characters). Open SKILL.md in a plain text editor, search for non-printable characters or encoded blocks, and remove/verify anything suspicious. - Review openapi.json (it's large) to ensure it doesn't contain unexpected endpoints or sensitive-sounding functionality you don't want (e.g., services that bypass captchas or send emails). - If you plan to use the API, create and use your own TikHub API key from your account (do not rely on the shipped DEFAULT_TOKEN). - When in doubt, ask the publisher for provenance (who published this skill) and for a version that does not include hard-coded credentials or hidden characters. - If you cannot validate these points, avoid running the packaged scripts against the network or sanitize the code first (remove DEFAULT_TOKEN, add explicit env-var reading, and remove suspicious characters).

Like a lobster shell, security has layers — review code before you run it.

latestvk973bctganxkt7x26zpz0ezvx982d61n

362downloads

1stars

1versions

Updated 1mo ago

v1.0.0

MIT-0

TikHub API Helper

A skill to help users search, find, and call TikHub API endpoints for social media data.

Quick Start

When a user asks about TikHub API or wants to fetch social media data:

Search for relevant APIs using the searcher script
Show the user available options with parameters
Call the API with appropriate parameters
Return formatted results to the user

Available Scripts

API Searcher - `api_searcher.py`

Search and find relevant TikHub API endpoints.

# Search by keyword
python api_searcher.py "user profile"
python api_searcher.py "视频评论"
python api_searcher.py "trending"

# List all APIs for a specific tag/category
python api_searcher.py tag:TikTok-Web-API
python api_searcher.py tag:Douyin-App-V3-API

# List popular/common APIs
python api_searcher.py popular

# List all available tags/categories
python api_searcher.py tags

# Get detailed info for a specific API
python api_searcher.py detail:tiktok_web_fetch_user_profile_get

API Client - `api_client.py`

Make HTTP requests to TikHub API endpoints.

# Health check (no authentication required)
python api_client.py GET /api/v1/health/check

# Get user profile
python api_client.py GET /api/v1/tiktok/web/fetch_user_profile "sec_user_id=MS4wLjABAAAA..."

# Search for videos
python api_client.py GET /api/v1/tiktok/web/fetch_search_video "keyword=gaming"

# POST request with JSON body
python api_client.py POST /api/v1/tiktok/web/generate_xgnarly '{"url": "https://..."}'

Supported Platforms

Platform	Tag Name	APIs Available
TikTok Web	`TikTok-Web-API`	58 endpoints
TikTok App	`TikTok-App-V3-API`	76 endpoints
Douyin Web	`Douyin-Web-API`	76 endpoints
Douyin App	`Douyin-App-V3-API`	45 endpoints
Douyin Search	`Douyin-Search-API`	20 endpoints
Douyin Billboard	`Douyin-Billboard-API`	31 endpoints
Xiaohongshu Web	`Xiaohongshu-Web-API`	26 endpoints
Instagram	`Instagram-V2-API`	26 endpoints
YouTube	`YouTube-Web-API`	16 endpoints
Twitter	`Twitter-Web-API`	13 endpoints
Reddit	`Reddit-APP-API`	23 endpoints
Bilibili	`Bilibili-Web-API`	24 endpoints
Weibo	`Weibo-Web-V2-API`	33 endpoints
Zhihu	`Zhihu-Web-API`	32 endpoints

Use python api_searcher.py tags to see all categories.

Common Use Cases

Get User Profile

# TikTok user profile
python api_searcher.py "fetch user profile tiktok"
python api_client.py GET /api/v1/tiktok/web/fetch_user_profile "sec_user_id=USER_ID"

Get Video Details

# TikTok video details
python api_searcher.py "fetch post detail"
python api_client.py GET /api/v1/tiktok/web/fetch_post_detail "post_id=POST_ID"

Search Content

# Search for videos/users
python api_searcher.py "search video"
python api_client.py GET /api/v1/tiktok/web/fetch_search_video "keyword=YOUR_KEYWORD"

Get Comments

# Get video comments
python api_searcher.py "fetch comment"
python api_client.py GET /api/v1/tiktok/web/fetch_post_comment "post_id=POST_ID"

Authentication

API requests use a default token for development. For production use, users should:

Get their API token from TikHub User
Set the TIKHUB_TOKEN environment variable
Or modify DEFAULT_TOKEN in api_client.py

Request format:

{
  "Authorization": "Bearer YOUR_API_TOKEN"
}

Base URLs

China users: https://api.tikhub.dev (bypasses GFW)
International: https://api.tikhub.io

The API client auto-detects the appropriate URL. To override, modify the use_china_domain parameter in the client.

Rate Limits

QPS: 10 requests per second per endpoint
Timeout: 30-60 seconds
Retry: Max 3 retries on error

Instructions for Claude

When helping users with TikHub API:

Understand the user's goal - What data do they want? From which platform?
Search for relevant APIs - Use api_searcher.py with appropriate keywords
Present options - Show matching APIs with brief descriptions
Guide parameters - Check what parameters are required using detail:OPERATION_ID
Make the request - Use api_client.py with the user's parameters
Format results - Present the API response in a clear, readable format

Example Workflow

User: "I want to get a TikTok user's profile"

# Step 1: Search for the relevant API
python api_searcher.py "tiktok user profile"

# Step 2: Show results and confirm endpoint
# Found: GET /api/v1/tiktok/web/fetch_user_profile

# Step 3: Get detailed parameter info
python api_searcher.py detail:tiktok_web_fetch_user_profile_get

# Step 4: Make the API call with user's parameters
python api_client.py GET /api/v1/tiktok/web/fetch_user_profile "sec_user_id=MS4wLjABAAAA..."

# Step 5: Format and present results

Error Handling

Common errors and solutions:

Error	Solution
`401 Unauthorized`	Check API token is valid
`429 Too Many Requests`	Rate limit exceeded, wait before retry
`Connection error`	Check network, try China domain if in mainland China
`Missing parameter`	Check API details for required parameters

Reference

Full API Documentation: TikHub API Docs
Apifox Docs: docs.tikhub.io
API Status: monitor.tikhub.io
GitHub: github.com/TikHub

Comments

Loading comments...