← Back to Skills Marketplace

Social Media Auto

Name: Social Media Auto
Author: linzmin

by linzmin · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

252

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install social-media-auto

Description

自媒体内容生成技能 - 热点抓取 + AI 创作 + 多平台适配

Usage Guidance

What to consider before installing: - Expect this skill to contact external Alibaba Cloud services (mcporter / 阿里云 MCP) for both trending search and AI generation. The package metadata does not declare any credentials — you should only install if you understand and trust how you will provide mcporter/Aliyun credentials (and preferably configure them in a controlled environment). - The scripts call `npx mcporter ...` at runtime. `npx` can fetch packages on first run (supply-chain risk). If you don't want dynamic downloads, review and preinstall required tooling and pin versions. - The code uses child_process.execSync with string interpolation of user input (e.g. the --topic value). That is a command-injection hazard if you or other automated systems pass untrusted input into these scripts. Avoid running these scripts with untrusted inputs, or sanitize/escape arguments before use. - The SKILL.md included a prompt-injection-like artifact (unicode-control-chars). Inspect SKILL.md and the included files for any hidden characters or instructions that could alter behavior. - If you decide to try it: run it in a sandboxed environment (container or VM) first, inspect/verify mcporter configuration, and avoid running the test script or fetch/generate on any system containing sensitive credentials. If you need this functionality but want lower risk, ask the author to: declare required env vars, document mcporter setup, avoid shell interpolation (use child_process with argument arrays or a proper SDK), and pin any external dependencies.

Capability Analysis

Type: OpenClaw Skill Name: social-media-auto Version: 1.0.0 The skill bundle contains a shell injection vulnerability in 'scripts/generate-content.js' and 'scripts/fetch-trending.js'. User-provided input from the '--topic' argument is directly interpolated into a shell command executed via 'execSync' to call an external MCP tool (npx mcporter). While the overall logic for social media content generation appears legitimate and aligned with the stated purpose, the lack of input sanitization allows for arbitrary command execution. No evidence of intentional malice, data exfiltration, or persistence was found.

Capability Assessment

⚠ Purpose & Capability

The skill description says it uses 阿里云 MCP for search and AI generation and the scripts indeed call `npx mcporter call ...`, yet the registry metadata declares no required environment variables or primary credential. A user would reasonably expect this skill to require configuration/credentials for mcporter/Aliyun; the absence of declared env requirements is incoherent.

⚠ Instruction Scope

SKILL.md instructs running the included scripts (fetch/generate/format/save). The scripts perform network calls via `npx mcporter` and spawn shell commands with execSync. User-supplied inputs (e.g. --topic) are interpolated into shell commands without escaping, creating a local command-injection risk if untrusted inputs are used. The instructions do not warn about required mcporter configuration, nor about network traffic to external AI/search services.

ℹ Install Mechanism

There is no package-install spec (instruction-only install), and the included install.sh only checks for Node.js, chmods files and creates directories (low risk). However, runtime uses `npx` which may download packages on first use (transient supply-chain risk). No remote arbitrary archive downloads are present in the repo itself.

⚠ Credentials

The code relies on external cloud tooling (mcporter/阿里云 MCP) but the skill declares no env vars/credentials. That mismatch is concerning: the scripts will try to use mcporter (which typically requires authentication/config) and may fail or prompt the environment to provide secrets; the skill should have declared required credentials or document how mcporter should be configured.

✓ Persistence & Privilege

The skill does not request elevated platform privileges (always:false), does not autonomously persist beyond writing drafts/data within its own directory, and does not modify other skills or global agent config.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install social-media-auto
After installation, invoke the skill by name or use /social-media-auto
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

- 首个版本发布，提供全功能自媒体内容生成工具 - 支持微博热搜和知乎热榜自动抓取 - 一键 AI 生成内容，支持多语气、多长度 - 自动适配公众号、小红书、抖音三大平台格式 - 内置草稿管理和版本控制功能 - 提供清晰模板与脚本化操作流程

Metadata

Slug social-media-auto

Version 1.0.0

License MIT-0

All-time Installs 3

Active Installs 2

Total Versions 1

Frequently Asked Questions

What is Social Media Auto?

自媒体内容生成技能 - 热点抓取 + AI 创作 + 多平台适配. It is an AI Agent Skill for Claude Code / OpenClaw, with 252 downloads so far.

How do I install Social Media Auto?

Run "/install social-media-auto" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Social Media Auto free?

Yes, Social Media Auto is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Social Media Auto support?

Social Media Auto is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Social Media Auto?

It is built and maintained by linzmin (@linzmin); the current version is v1.0.0.

More Skills