← Back to Skills Marketplace

Toutiao Publish

Name: Toutiao Publish
Author: axdlee

by Sheldon.li · GitHub ↗ · v6.1.0

cross-platform ⚠ suspicious

1009

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install toutiao-publish

Description

自动发布内容到今日头条（微头条/文章）。触发词：发头条、发布头条、微头条、今日头条、发文章、写头条。支持 AI 推荐图片插入正文、免费正版图片库封面、完整文章自动化发布。

Usage Guidance

This skill automates publishing by running JavaScript inside your logged-in Toutiao browser session and by invoking a local 'browser' CLI and optional local HTTP server. Before installing: (1) verify you trust the author and read the included scripts (publish-toutiao.sh, test-publish.sh) line-by-line; (2) confirm you have the required tooling (a CDP-capable Chrome/Chromium and the 'browser' CLI) — the registry metadata does not list these dependencies; (3) run tests in a separate, disposable browser profile or isolated environment to avoid publishing accidental content or exposing sensitive cookies; (4) don't give this skill access to sensitive local files or shared browser profiles; and (5) if you cannot audit the code yourself, treat it as risky because evaluate() calls can be modified to exfiltrate data visible to the page. If those concerns are acceptable and you audit the scripts, the skill's actions are consistent with its stated purpose.

Capability Analysis

Type: OpenClaw Skill Name: toutiao-publish Version: 6.1.0 The skill is classified as suspicious due to the broad `fileRead: true` permission declared in `SKILL.md`, which allows reading any local file without explicit justification in the provided scripts for the current version. While `fileWrite`, `network`, and `shell` permissions are restricted to specific paths/domains/commands (`/tmp/openclaw/uploads/`, `mp.toutiao.com + localhost:8000`, `python3 http.server` respectively), the unrestricted `fileRead` capability, combined with the presence of `shell` and `localhost` network access, introduces a potential risk for unauthorized data access, even without clear evidence of intentional malicious exploitation in the current code. The `publish-toutiao.sh` script also directly injects user-provided HTML content into the browser via `innerHTML`, which could lead to XSS on the target platform if not properly sanitized by Toutiao, though this is a vulnerability of the target platform rather than malicious intent by the skill itself.

Capability Assessment

ℹ Purpose & Capability

Functionality (automating mp.toutiao.com publish flow via browser automation and JS injection) matches the stated purpose. However the registry metadata lists no required binaries or environment needs while README/SKILL.md and the shipped scripts clearly require a 'browser' CLI, Chrome/Chromium, Node.js/Python and a CDP-capable browser — the missing declared dependency is an incoherence that could hide runtime surprises.

⚠ Instruction Scope

Runtime instructions repeatedly use browser.act evaluate to run arbitrary JavaScript inside the publishing page (setting innerHTML, dispatching events, clicking UI elements). That is necessary for automation, but it also gives the skill the ability to read or manipulate any data visible in the page context (profile info, tokens in DOM, etc.). The SKILL.md also requests file read/write, network to mp.toutiao.com and localhost, and shell access (to run a local http.server) — these broaden the scope and increase the risk of data exposure if the scripts are modified or misused.

ℹ Install Mechanism

There is no remote install step (no downloads), and all code is included in the package (shell scripts and docs). That reduces supply-chain risk, but the package contains executable shell scripts that will invoke the 'browser' CLI and spawn/expect local services. The absence of an explicit install spec is acceptable but you should review and audit the included scripts before running them.

⚠ Credentials

The registry lists no required environment variables or credentials (reasonable because the skill uses your logged-in browser session), yet SKILL.md declares permissions for fileRead/fileWrite, network and shell. Requesting file and shell access is plausible for serving local images via an HTTP server, but these capabilities are powerful and not justified in detail by the description. The skill does not ask for explicit API keys, but it will act using whatever Toutiao session is present in the browser — meaning it operates with your account privileges.

✓ Persistence & Privilege

The skill is not marked always:true and does not request to modify other skills or system-wide settings. It runs on demand and its persistence/privilege level is reasonable for a user-invoked browser automation skill.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install toutiao-publish
After installation, invoke the skill by name or use /toutiao-publish
Provide required inputs per the skill's parameter spec and get structured output

Version History

v6.1.0

toutiao-publish v6.1.0 – 实测验证版 - 新增“实测验证”说明，展示真实完整发布流程和成功案例，含文章链接及各步骤 Ref。 - 实测覆盖：登录、编辑、AI图片插入、声明设置、发布与成功验证，公布各环节成功率（100%）。 - SKILL.md 新增“实测关键 Ref 对照表”，帮助快速定位 DOM 元素。 - 其他文档同步更新，补充有效性与实操细节。 - 无新增功能，主要为实测验证与文档增强。

v6.0.0

toutiao-publish v6.0.0 introduces AI-powered image selection and fully automated publishing: - Added AI 推荐图片插入功能：可自动推荐并插入正文配图，提升发布效率 - 实现免费正版图片库封面自动化选择（100% 自动） - JavaScript 注入内容支持完整事件序列，兼容性更强 - 增强错误自动重试机制，处理 ref 失效与 AI 加载超时 - 新增一键发布脚本（publish-toutiao.sh） - 更新文档，明确流程与动态 ref 注意事项已知限制：正文图片暂不支持本地上传，须用 AI 推荐图片；首次用需预先登录

v4.0.0

v4.0.0 Major Update: HTTP server scheme, drag-drop image upload, free stock photo library, long article support (2000+ words), complete automation flow

v1.0.2

- No file changes detected for this version. - Documentation and user instructions remain unchanged.

v1.0.1

首个版本：支持今日头条微头条/文章自动发布，包括登录流程、图片上传、头条首发、作品声明等功能

v1.0.0

toutiao-publish 1.0.0 - Initial release with automated publishing to Jinri Toutiao (Weitoutiao/posts and articles). - Supports text, images (mixed into content), topics, and location tags. - Automatically handles login, pop-up dialogs, and publishing flow. - Key notifications only for major steps (search, writing, publish result). - Provides detailed formatting and content structure recommendations for both posts and articles. - Includes troubleshooting tips and reference for key UI elements.

Metadata

Slug toutiao-publish

Version 6.1.0

License —

All-time Installs 8

Active Installs 8

Total Versions 6

Frequently Asked Questions

What is Toutiao Publish?

自动发布内容到今日头条（微头条/文章）。触发词：发头条、发布头条、微头条、今日头条、发文章、写头条。支持 AI 推荐图片插入正文、免费正版图片库封面、完整文章自动化发布。 It is an AI Agent Skill for Claude Code / OpenClaw, with 1009 downloads so far.

How do I install Toutiao Publish?

Run "/install toutiao-publish" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Toutiao Publish free?

Yes, Toutiao Publish is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Toutiao Publish support?

Toutiao Publish is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Toutiao Publish?

It is built and maintained by Sheldon.li (@axdlee); the current version is v6.1.0.

More Skills