← Back to Skills Marketplace
739
Downloads
1
Stars
8
Active Installs
2
Versions
Install in OpenClaw
/install weibo
Description
Use Weibo Open Platform for OAuth2 authentication, timeline retrieval, topic search, and structured social sentiment collection. Trigger this skill when task...
Usage Guidance
This skill appears to implement the Weibo OAuth and API calls it claims, but review these points before installing or enabling it: 1) Use SecretRef or your external secret manager for WEIBO_APP_SECRET (the repo already recommends this). Do not commit secrets. 2) Be careful with WEIBO_ACCESS_TOKEN: the CLI will attach it to requests automatically — avoid setting that env var in long-lived/shared environments unless needed. 3) The 'call' command accepts absolute URLs and will include access tokens if present; do not use it against untrusted endpoints (it can leak tokens). Prefer explicit /2/... paths and double-check target URLs. 4) If you do not want the Brave fallback, keep weibo-brave-search disabled or treat it as a separate skill; its credential (BRAVE_SEARCH_API) is declared separately. 5) Inspect scripts (scripts/weibo_cli.sh and weibo-brave-search/scripts/weibo_search.py) yourself and consider adding local guards (e.g., disallow non-Weibo URLs or require explicit --allow-external flag) if you plan to run this in autonomous workflows. If you want higher assurance, ask the publisher to add an explicit warning about the 'call' behavior and a guard that prevents tokens being sent to non-Weibo domains.
Capability Analysis
Type: OpenClaw Skill
Name: weibo
Version: 1.0.1
The skill is classified as suspicious due to a Server-Side Request Forgery (SSRF) vulnerability in `scripts/weibo_cli.sh`. The `cmd_call` function allows the execution of `curl` requests to arbitrary URLs specified via the `--path` argument, which could be exploited by a malicious actor or a compromised agent to perform unauthorized network requests. While the skill's stated purpose is legitimate and its documentation (including `OPENCLAW_SECRETS_REMEDIATION_PLAN.md`) demonstrates strong security awareness and transparency, this vulnerability represents a significant risk without clear evidence of intentional malicious design.
Capability Assessment
Purpose & Capability
Name, description, declared binaries (bash, curl, python3), and required env vars (WEIBO_APP_KEY, WEIBO_APP_SECRET, WEIBO_REDIRECT_URI) align with an OAuth2-based Weibo CLI. The companion Brave-search code is provided as a distinct sub-skill and documented as a fallback, which matches expectations.
Instruction Scope
The SKILL.md and scripts provide appropriate commands for OAuth flow and standard Weibo endpoints. However, the CLI's 'call' command accepts full absolute URLs (not just /2/ paths) and will automatically attach WEIBO_ACCESS_TOKEN if present; this means a user or an autonomous agent could be directed to call an arbitrary external endpoint and inadvertently transmit sensitive tokens. The docs do not prominently warn about that leakage vector.
Install Mechanism
No install spec (instruction-only with shipped scripts). That minimizes supply-chain risk. The repo files are plain shell and Python code with no external downloads or archive extraction.
Credentials
Requested env vars are proportional to stated functionality: app key/secret and redirect URI for OAuth; optional WEIBO_ACCESS_TOKEN for pre-issued-token workflows. Companion BRAVE_SEARCH_API is declared only in the weibo-brave-search sub-skill. The project docs and remediation plan explicitly call out secret-handling practices. Still, automatic use of WEIBO_ACCESS_TOKEN in arbitrary 'call' invocations increases the chance of secret leakage if env secrets are not tightly managed.
Persistence & Privilege
No elevated persistence requested: always is false, no install hooks or changes to other skills' config. The skill does not request system-wide configuration changes.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install weibo - After installation, invoke the skill by name or use
/weibo - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Split Weibo web search fallback into a new companion skill (`weibo-brave-search`), focusing this skill solely on official Weibo API.
- Overhauled credential instructions with a new section on secret handling, clarifying required variables and OpenClaw integration.
- Updated skill description and metadata for clearer scope and environment configuration.
- Added new companion and secret remediation documentation files; removed bundled web search fallback script.
- CLI usage, workflow, and command set remain unchanged.
v1.0.0
Weibo Skill v1.0.0 – Initial Release
- Supports OAuth2 authentication and access token management for Weibo Open Platform.
- Provides Bash CLI for direct API calls: public timeline, user timeline, and topic search.
- Includes web search fallback script for Weibo trend signals when API access is unavailable.
- Structured workflow outline for credential setup, token retrieval, and endpoint usage.
- Emphasizes automation-friendly, reproducible commands with JSON output and official doc references.
Metadata
Frequently Asked Questions
What is Weibo Microblogging CLI?
Use Weibo Open Platform for OAuth2 authentication, timeline retrieval, topic search, and structured social sentiment collection. Trigger this skill when task... It is an AI Agent Skill for Claude Code / OpenClaw, with 739 downloads so far.
How do I install Weibo Microblogging CLI?
Run "/install weibo" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Weibo Microblogging CLI free?
Yes, Weibo Microblogging CLI is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Weibo Microblogging CLI support?
Weibo Microblogging CLI is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Weibo Microblogging CLI?
It is built and maintained by oscraters (@oscraters); the current version is v1.0.1.
More Skills