← Back to Skills Marketplace
262
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install cnblogs-publisher
Description
Manage CNBlogs (博客园) articles via MetaWeblog API. Supports save drafts, publish, update, and delete posts.
README (SKILL.md)
CNBlogs Publisher Skill
通过 MetaWeblog API 管理博客园(CNBlogs)文章的 OpenClaw Skill。
功能特性
- ✅ 保存草稿 - 快速创建文章草稿
- 📋 文章管理 - 获取列表、查看详情
- ✏️ 更新修改 - 修改已有文章内容
- 🚀 一键发布 - 将草稿发布为正式文章
- 🗑️ 安全删除 - 删除文章(带确认机制)
快速开始
1. 配置环境变量
export CNBLOGS_BLOG_URL="https://rpc.cnblogs.com/metaweblog/your-blog-name"
export CNBLOGS_USERNAME="your-username"
export CNBLOGS_TOKEN="your-metaweblog-token"
获取 Token:博客园 → 设置 → 其他设置 → MetaWeblog 访问令牌
2. 保存第一篇草稿
# 创建文章
cat > mypost.md \x3C\x3C 'EOF'
# 我的第一篇文章
Hello,这是我的第一篇博客!
EOF
# 保存到草稿箱
python scripts/save_draft.py "我的第一篇文章" "mypost.md" "随笔"
3. 发布文章
# 使用上一步返回的文章 ID
python scripts/publish.py 12345678
所有命令
| 命令 | 功能 | 示例 |
|---|---|---|
get_blog_info.py |
获取博客信息 | python scripts/get_blog_info.py |
list_drafts.py |
获取文章列表 | python scripts/list_drafts.py |
get_post.py |
获取单篇文章 | python scripts/get_post.py 12345 |
save_draft.py |
保存草稿 | python scripts/save_draft.py "标题" "file.md" "分类" |
update_draft.py |
更新草稿 | python scripts/update_draft.py 12345 "file.md" "分类" |
publish.py |
发布文章 | python scripts/publish.py 12345 |
delete_post.py |
删除文章 | python scripts/delete_post.py 12345 |
完整文档
详细文档、API 参考、故障排除请访问: https://github.com/suversal/cnblogs-publisher/blob/main/README.md
技术栈
- Python 3.7+
- MetaWeblog API
- xmlrpc.client
许可证
MIT License
作者: suversal
仓库: https://github.com/suversal/cnblogs-publisher
版本: 1.0.0
Usage Guidance
This skill appears to implement exactly what it claims (CNBlogs MetaWeblog operations), but there are a few issues you should address before installing or running it:
1) Metadata vs. behavior: The skill metadata does not declare required environment variables, but the scripts need CNBLOGS_BLOG_URL, CNBLOGS_USERNAME and CNBLOGS_TOKEN. Treat these as required secrets and do not leave them unset. Prefer the metadata be corrected to list required env vars.
2) Secrets in the repo: tests/test_all.sh includes an exported CNBLOGS_TOKEN-like value and a local path — this may be a leaked credential or a placeholder that looks real. Do not assume that value is safe; remove or rotate any real token embedded in the package before use.
3) TLS verification: The scripts disable SSL verification. This can expose your token and data to man-in-the-middle attacks. Prefer enabling proper certificate verification or only use the scripts against trusted endpoints; modify CustomTransport to use default SSL verification where possible.
4) Hardcoded defaults: Several scripts include default BLOG_URL/USERNAME/blogid values. Make sure you explicitly set your environment variables (do not rely on defaults) so the scripts don't accidentally act against a different account.
5) Token storage best practices: The SKILL.md suggests adding exports to ~/.zshrc; that's convenient but exposes the token to any local process that can read that file. Consider more secure storage (e.g., OS secret store or ephemeral env vars) and avoid committing tokens into dotfiles or the repository.
6) Audit before running: Inspect and, if necessary, remove test files that contain secrets. Run scripts in a controlled environment first, and verify that network endpoints contacted are only your CNBlogs MetaWeblog URL(s). If you need help hardening the scripts (re-enable SSL verification, remove defaults), update them before use.
Capability Analysis
Type: OpenClaw Skill
Name: cnblogs-publisher
Version: 1.0.1
The skill bundle provides legitimate functionality for managing CNBlogs articles via the MetaWeblog API, but contains several security vulnerabilities. Multiple scripts (e.g., delete_post.py, save_draft.py, publish.py) explicitly disable SSL certificate verification using ssl._create_unverified_context(), which exposes the user to Man-In-The-Middle (MITM) attacks. Additionally, the test script tests/test_all.sh contains hardcoded credentials, including a MetaWeblog access token and username. While these appear to be developer oversights rather than intentional malice, the lack of input sanitization and weak transport security meet the criteria for a suspicious classification.
Capability Assessment
Purpose & Capability
Name/description, SKILL.md and the Python scripts all align: they implement MetaWeblog operations for CNBlogs (list, save, update, publish, delete). However registry metadata declares no required environment variables or primary credential while both SKILL.md and the scripts expect CNBLOGS_BLOG_URL, CNBLOGS_USERNAME and CNBLOGS_TOKEN — this mismatch is incoherent and should be fixed.
Instruction Scope
Instructions ask the user to export CNBLOGS_BLOG_URL, CNBLOGS_USERNAME and CNBLOGS_TOKEN and run the included scripts — that's within expected scope. Concerns: (1) the scripts create an SSL context that disables verification (ssl._create_unverified_context()), which weakens TLS protections; (2) test/test_all.sh contains explicit environment exports including a long token value and an absolute user path (indicative of a leaked credential/example that could be sensitive); (3) many scripts include hardcoded default BLOG_URL/USERNAME/blogid values, so if env vars are unset they may attempt to contact those defaults unexpectedly.
Install Mechanism
No install spec; the package is instruction-plus-scripts and does not download or install remote code at install-time — this is lower risk.
Credentials
The skill legitimately requires a CNBlogs MetaWeblog token and username, but the registry metadata does not declare any required env vars. That omission is inconsistent. Additionally, a test script in the repo contains a long token-like string exported as CNBLOGS_TOKEN — embedding tokens in repository files is a sensitive issue and not appropriate for published packages.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system privileges. It suggests adding env exports to shell rc files in documentation (which is user action, not automatic). The skill does not attempt to modify other skills or system settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install cnblogs-publisher - After installation, invoke the skill by name or use
/cnblogs-publisher - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Expanded feature descriptions and reorganized documentation for improved clarity and onboarding.
- Added environment variable setup details for full MetaWeblog API configuration.
- Provided step-by-step quick-start guide with code examples.
- Included a command reference table listing all script functionalities.
- Linked to full documentation and repository for further information.
v1.0.0
Initial release of cnblogs-publisher.
- Manage CNBlogs articles via MetaWeblog API.
- Features: save drafts, get article list/single article, update drafts, publish, and delete posts.
- Easy environment variable setup for authentication.
- Includes testing script and MIT license.
Metadata
Frequently Asked Questions
What is CNBlogs Publisher?
Manage CNBlogs (博客园) articles via MetaWeblog API. Supports save drafts, publish, update, and delete posts. It is an AI Agent Skill for Claude Code / OpenClaw, with 262 downloads so far.
How do I install CNBlogs Publisher?
Run "/install cnblogs-publisher" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is CNBlogs Publisher free?
Yes, CNBlogs Publisher is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does CNBlogs Publisher support?
CNBlogs Publisher is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created CNBlogs Publisher?
It is built and maintained by Sue (@suversal); the current version is v1.0.1.
More Skills