TikTok视频审核
WarnAudited by ClawScan on May 10, 2026.
Overview
The TikTok audit workflow is mostly coherent, but the skill exposes a Lingya AI API key in its artifacts and under-declares required tooling and credential handling.
Do not install or run this version until the exposed API key has been removed and rotated. If you use a fixed version, provide your own Lingya AI key through a secret mechanism, verify yt-dlp and Python dependencies from trusted sources, and only audit videos you are allowed to send to the external AI service.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can access the skill package may be able to use or abuse the exposed Lingya AI account key, potentially causing cost, quota loss, or account compromise.
The documentation exposes a concrete provider API key, and the static scan also reports a hardcoded API_KEY literal in scripts/tiktok_audit.py; this contradicts the metadata that declares no credential requirement.
API Key: `sk-0zy1...`
Remove the key from SKILL.md and code, rotate/revoke the exposed key, require users to provide their own key via an environment variable or secret store, and declare the credential requirement in metadata.
The skill may fail on other machines or use an unexpected local binary if dependencies are not installed and verified.
The skill relies on local tooling and a developer-specific absolute path, while the registry lists no required binaries and no install spec.
yt-dlp 路径: `/Users/apple/Library/Python/3.9/bin/yt-dlp`
Declare required binaries and Python packages, avoid hardcoded user-specific paths, and document a trusted installation method for yt-dlp and media-processing dependencies.
TikTok video content, frames, subtitles, and audit context may leave the local machine and be processed by Lingya AI.
The skill discloses that extracted video frames or video-derived content are sent to an external AI provider for audit.
Lingya AI(gemini-3-flash)多图审核 ... API: Lingya AI `https://api.lingyaai.cn/v1/chat/completions`
Use the skill only for videos you are authorized to submit to the provider, and document provider retention/privacy behavior and any user confirmation needed before upload.