← Back to Skills Marketplace
charlesliu-sap

toutiao-publish-docx

by charlesliu-sap · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
100
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install toutiao-publish-docx-v1
Description
用 Cookie 或已保存会话在头条号后台发布文章,支持标题/正文/图片与固定目录 docx 导入。当用户要自动发头条文章、传入 cookie_header 或要求按 docx 流程发布时调用。
Usage Guidance
This skill appears to do what it says (automate publishing to Toutiao), but there are important mismatches you should address before installing or running it: - Missing declarations: SKILL.md uses the TOUTIAO_COOKIE environment variable and specific project paths (/home/ubuntu/projects/toutiao_poster and artifact directories), but the skill metadata lists no required env vars or config paths. Confirm where cookies/sessions will be stored and whether the platform will pass TOUTIAO_COOKIE if you provide one. - Verify the runtime environment: The instructions assume a Python project and virtualenv at /.venv and a module named toutiao_poster. If that code is not present on the host, the commands will fail. If it is present, inspect that code before running — it will have filesystem access to the referenced directories. - Protect secrets: A cookie header grants access to the user's account—only supply cookies you trust and only run this on a dedicated, non-shared environment. Do not paste browser cookies in untrusted consoles. - Filesystem risk: The skill reads/moves files under absolute paths. If you run it on a shared machine, ensure those paths don't contain unrelated sensitive data. Prefer running in an isolated VM/container with minimal other data. - Improve metadata before use: Ask the publisher to declare required env vars (TOUTIAO_COOKIE, optional TOUTIAO_IMAGE_DIR) and required config paths in the registry metadata so the permission surface is explicit. If you cannot verify the presence and content of the toutiao_poster project or cannot ensure a dedicated environment, avoid using this skill or run it only after code inspection and environment hardening.
Capability Analysis
Type: OpenClaw Skill Name: toutiao-publish-docx-v1 Version: 1.0.0 The skill bundle is designed to automate article publishing on the Toutiao platform, but it is classified as suspicious due to a significant shell injection vulnerability. The instructions in SKILL.md direct the AI agent to construct and execute shell commands by directly embedding user-provided inputs (like 'title' and 'content') into command strings, which could allow an attacker to execute arbitrary code on the host system. Furthermore, the skill requires the handling of sensitive session cookies (TOUTIAO_COOKIE), which increases the potential impact of such an exploit.
Capability Assessment
Purpose & Capability
The name/description (publish to 头条 using cookie or saved session, support docx import) aligns with the runtime instructions (commands to run toutiao_poster). However the instructions assume a preexisting Python project and runtime environment at /home/ubuntu/projects/toutiao_poster and a module toutiao_poster; the registry metadata lists no required files or env vars, which is inconsistent with what the skill actually expects to run.
Instruction Scope
SKILL.md directs the agent to read and move files in fixed absolute paths (images/docx/artifacts under /home/ubuntu/projects/...), to save screenshots to those artifact directories, and to use a TOUTIAO_COOKIE environment variable. Those filesystem accesses and env-var usage are not declared and go beyond a simple API integration; the instructions assume local filesystem and session files exist and instruct modifying them (moving processed files to done/).
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Because it contains no packaged install steps, nothing would be written by the skill itself at install time. The runtime commands, however, assume existing installed code/software.
Credentials
Although the registry lists no required env vars, the SKILL.md shows use of TOUTIAO_COOKIE and allows overriding image/docx directories via env vars (TOUTIAO_IMAGE_DIR). Requesting and using cookies to authenticate is expected for this purpose, but the omission from declared requirements is an inconsistency. The skill will also read arbitrary files under the project path — access that could expose other artifacts if the environment is shared.
Persistence & Privilege
always is false and there is no indication the skill requests permanent or elevated platform privileges. It does instruct moving files under its own project directories, which is normal for a local automation script.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install toutiao-publish-docx-v1
  3. After installation, invoke the skill by name or use /toutiao-publish-docx-v1
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Toutiao-publish v1.0.0 — Initial Release - Allows posting articles (title, text, images, or docx import) to Toutiao using a cookie or saved session. - Supports fully automated publishing with user-provided `cookie_header`, or falls back to saved session. - Handles direct text/image posting and fixed-directory docx or image auto-import (with automatic archiving after success). - Includes configurable wait time for docx parsing (`docx_wait_seconds`). - Saves process screenshots for troubleshooting; describes common failure modes and recovery steps.
Metadata
Slug toutiao-publish-docx-v1
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is toutiao-publish-docx?

用 Cookie 或已保存会话在头条号后台发布文章,支持标题/正文/图片与固定目录 docx 导入。当用户要自动发头条文章、传入 cookie_header 或要求按 docx 流程发布时调用。 It is an AI Agent Skill for Claude Code / OpenClaw, with 100 downloads so far.

How do I install toutiao-publish-docx?

Run "/install toutiao-publish-docx-v1" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is toutiao-publish-docx free?

Yes, toutiao-publish-docx is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does toutiao-publish-docx support?

toutiao-publish-docx is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created toutiao-publish-docx?

It is built and maintained by charlesliu-sap (@charlesliu-sap); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463942 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259883 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200739 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191401 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190375 · by oswalpalash

💬 Comments