← Back to Skills Marketplace

toutiao-publish

Name: toutiao-publish
Author: charlesliu-sap

by charlesliu-sap · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

182

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install toutiao-publish-docx

Description

用 Cookie 或已保存会话在头条号后台发布文章，支持标题/正文/图片与固定目录 docx 导入。当用户要自动发头条文章、传入 cookie_header 或要求按 docx 流程发布时调用。

Usage Guidance

Before installing or using this skill: 1) Confirm you actually have the project at /home/ubuntu/projects/toutiao_poster (or adjust paths) and a working .venv; this skill has no installer. 2) Treat TOUTIAO_COOKIE as a secret: only provide cookies you control and understand that the local script will use them to authenticate; do not paste production account cookies unless you trust the host. 3) Verify and restrict file permissions on the image/docx/artifacts directories — the script will read, upload, and move files there. 4) Ask the publisher for the source code or a homepage and installation instructions so you can audit what the Python module does (network calls, logging, error handling). 5) If you plan to run this in a different environment, update the SKILL.md paths and document required env vars (TOUTIAO_COOKIE, TOUTIAO_IMAGE_DIR) so requirements and metadata match. If you cannot verify the above, avoid providing cookies or running this skill on sensitive accounts.

Capability Analysis

Type: OpenClaw Skill Name: toutiao-publish-docx Version: 1.0.0 The skill bundle contains a significant shell injection vulnerability in SKILL.md. The instructions guide the AI agent to construct bash commands by directly inserting user-provided strings (such as title, content, and cookie_header) into single-quoted shell arguments. This pattern is highly susceptible to exploitation if the input contains single quotes or other shell metacharacters, potentially allowing arbitrary command execution on the host system. While the stated purpose of automating Toutiao posts is plausible, the insecure command construction poses a high security risk.

Capability Assessment

ℹ Purpose & Capability

The name/description (publish to Toutiao using cookie or saved session, support docx import) matches the runtime steps. However the SKILL.md assumes a preinstalled project at /home/ubuntu/projects/toutiao_poster with a .venv and specific artifact directories; the registry metadata declares no install steps or required env vars — so the skill will only work where that exact layout exists. This is plausible for a private server deployment but is an undeclared dependency.

⚠ Instruction Scope

The instructions tell the agent to cd into a fixed path and run a local Python module, read and upload images/docx from specific absolute directories, archive files to done/, and save screenshots to artifacts/. Those file I/O and move operations are all within the posting workflow, but the doc explicitly references environment variables (TOUTIAO_COOKIE, TOUTIAO_IMAGE_DIR) and saved session files that are not listed in metadata. The SKILL.md also assumes headless automation and clicking UI elements — this requires the host to have the necessary runtime and credentials.

✓ Install Mechanism

This is an instruction-only skill with no install spec or code. That limits supply-chain risk (nothing is downloaded by the skill), but it shifts risk to assumptions about a preinstalled project and environment which are undocumented.

⚠ Credentials

Metadata lists no required env vars, but SKILL.md uses TOUTIAO_COOKIE (sensitive browser cookie string) and optionally TOUTIAO_IMAGE_DIR. Asking users to supply browser cookies is expected for session-based posting, but the mismatch between declared requirements and the actual sensitive inputs is an incoherence to surface: the skill can cause sensitive cookie data to be used and transmitted by the local script, and it will read/move files under several absolute paths.

ℹ Persistence & Privilege

The skill does not request always:true and does not modify other skills. It will perform local file operations (moving posted images/docx to done/ and writing screenshots in artifacts/), which is expected behavior for this tool but means it needs filesystem privileges in those directories. No elevated platform privileges are requested via metadata.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install toutiao-publish-docx
After installation, invoke the skill by name or use /toutiao-publish-docx
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

initial submit

Metadata

Slug toutiao-publish-docx

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is toutiao-publish?

用 Cookie 或已保存会话在头条号后台发布文章，支持标题/正文/图片与固定目录 docx 导入。当用户要自动发头条文章、传入 cookie_header 或要求按 docx 流程发布时调用。 It is an AI Agent Skill for Claude Code / OpenClaw, with 182 downloads so far.

How do I install toutiao-publish?

Run "/install toutiao-publish-docx" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is toutiao-publish free?

Yes, toutiao-publish is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does toutiao-publish support?

toutiao-publish is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created toutiao-publish?

It is built and maintained by charlesliu-sap (@charlesliu-sap); the current version is v1.0.0.

More Skills