功能描述

Publish blog posts to Bear Blog platform. Supports user-provided markdown, AI-generated content, and auto-generated diagrams.

使用说明 (SKILL.md)

Bear Blog Publisher

Name: Bear Blog Publisher
Author: cattalk2

Publish blog posts to Bear Blog (https://bearblog.dev/).

Overview

This skill provides automated publishing capabilities for Bear Blog, including optional AI content generation and diagram generation.

Authentication Methods (Choose One)

Method 1: OpenClaw Config (Recommended for Personal Use)

Add to your ~/.openclaw/openclaw.json:

{
  "skills": {
    "bear-blog-publisher": {
      "email": "[email protected]",
      "password": "yourpassword"
    }
  }
}

Security: File permissions should be set to 600 (readable only by owner).

Method 2: Environment Variables (Recommended for CI/CD)

export BEAR_BLOG_EMAIL="[email protected]"
export BEAR_BLOG_PASSWORD="yourpassword"

Security: Credentials exist only in memory, not written to disk.

Method 3: Runtime Parameters (Recommended for Multi-User)

Provide credentials when calling the skill:

publisher = BearBlogPublisher(email="[email protected]", password="secret")

Security: Caller (chat bot, web app, etc.) manages credential lifecycle.

AI Content Generation (Optional)

To use AI content generation, configure one of the following:

OpenAI

export OPENAI_API_KEY="sk-..."

Kimi

export KIMI_API_KEY="your-kimi-api-key"

Usage

publisher = BearBlogPublisher()
content = publisher.generate_content(
    topic="Python best practices",
    provider="openai",  # or "kimi"
    tone="professional",
    length="medium"
)
result = publisher.publish(title="My Post", content=content)

Priority Order

Runtime parameters (highest priority)
Environment variables
OpenClaw config (lowest priority)

Capabilities

1. Publish Blog Post

Input:

title (string): Blog post title
content (string): Markdown content
email (string, optional): Bear Blog email
password (string, optional): Bear Blog password

Output:

Published URL or error message

2. AI Content Generation (Optional)

Generate blog content using OpenAI or Kimi API.

3. Generate Diagram (Optional)

For technical topics, generates architecture diagrams using HTML/CSS + Playwright.

Security Best Practices

Never commit credentials to git
Use environment variables in production
Set file permissions to 600 for config files
Use runtime parameters for multi-user scenarios

Security Considerations

This skill makes several operational choices that users should be aware of:

1. Playwright Browser Download

Why: Required for generating architecture diagrams as PNG images
Size: ~100MB Chromium browser
Alternative: Skip diagram generation if not needed

2. Temporary Files

Location: /tmp/diagram.html and /tmp/diagram.png
Purpose: Intermediate files for diagram generation
Cleanup: Files are overwritten on each run, not explicitly deleted

3. `--no-sandbox` Flag

Why: Required for running Chromium in containerized/Docker environments
Risk: Slightly reduced browser isolation
Mitigation: Only used for local HTML-to-image conversion, no external URLs loaded

4. Plaintext Password Storage (Optional)

Config file: Only if user chooses Method 1
Recommendation: Use environment variables (Method 2) or runtime parameters (Method 3) instead
If using config: Always set file permissions to 600

Example Usage

With Config File

# ~/.openclaw/openclaw.json configured
You: "Publish a blog about Python tips"
AI: [Uses config credentials, publishes]

With Environment Variables

export BEAR_BLOG_EMAIL="[email protected]"
export BEAR_BLOG_PASSWORD="secret"

You: "Publish a blog about Python tips"
AI: [Uses env vars, publishes]

With AI Content Generation

export BEAR_BLOG_EMAIL="[email protected]"
export BEAR_BLOG_PASSWORD="secret"
export OPENAI_API_KEY="sk-..."

You: "Write and publish a blog about Python asyncio"
AI: [Generates content with OpenAI, publishes]

With Runtime Parameters

# In your chat bot code
email = get_user_email()  # Ask user
password = get_user_password()  # Ask user

publisher = BearBlogPublisher(email=email, password=password)
result = publisher.publish(title="My Post", content="# Content")

Implementation

Uses Bear Blog web API
CSRF token authentication
Session-based (no persistent storage)
Playwright for diagram generation
OpenAI/Kimi API for content generation

License

MIT

安全使用建议

This skill appears to do what it says: publish posts to Bear Blog, optionally generate AI content, and generate diagrams via Playwright. Before installing, consider: 1) Prefer environment variables or runtime parameters over putting credentials into ~/.openclaw/openclaw.json (that file would store plaintext credentials if you choose Method 1). 2) Diagram generation will download Playwright browsers (~100MB) and create /tmp/diagram.html and /tmp/diagram.png; avoid enabling diagrams on multi-tenant/shared CI runners if you worry about leftover temp files. 3) Verify you trust the skill source (package.json points to a GitHub repo; confirm it matches what you expect). 4) If you plan to enable AI generation, only set OPENAI_API_KEY/KIMI_API_KEY in secure environments. 5) If you need higher assurance, review the rest of publish.py (file truncated in listing) and the referenced upload endpoints to ensure they match Bear Blog's documented APIs. Overall: coherent and proportionate, but follow the credential and environment cautions above.

功能分析

Type: OpenClaw Skill Name: bear-blog-publisher Version: 1.0.13 The skill is classified as suspicious due to several documented security considerations that, while transparently disclosed, represent potential vulnerabilities. Specifically, the `scripts/publish.py` code implements a credential resolution mechanism that allows for plaintext password storage in `~/.openclaw/openclaw.json` if the user chooses this method, although it does include a warning if file permissions are insecure. Additionally, the `generate_diagram` function in `scripts/publish.py` uses Playwright with the `--no-sandbox` flag, which is a known security risk for browser isolation, even though the skill mitigates this by only loading local HTML files. These are vulnerabilities and risky operational choices, not clear evidence of malicious intent.

能力评估

✓ Purpose & Capability

The skill claims to publish to Bear Blog and its code implements Bear Blog login, post upload, optional image upload, and optional AI content generation (OpenAI/Kimi). Requiring Bear Blog email/password and optional OpenAI/KIMI API keys aligns with the stated functionality.

ℹ Instruction Scope

SKILL.md and the code stay within publishing/diagram-generation scope. The instructions read credentials from runtime args, env vars, or ~/.openclaw/openclaw.json (expected). The skill writes temporary files to /tmp for diagram generation and does not explicitly delete them (files are overwritten), which is documented but worth noting. The README/README claims 'no persistent credential storage' conflicts with the documented config-file authentication option (which does store plaintext credentials if chosen).

✓ Install Mechanism

There is no external arbitrary-download installer in the registry metadata; package.json includes Python dependency installation and a Playwright browser install step ('playwright install chromium') which is expected for HTML-to-image generation. Playwright's browser download (~100MB) is noted in SKILL.md and README.

✓ Credentials

Requested secrets are limited and proportional: Bear Blog email/password for login, and optional OPENAI_API_KEY or KIMI_API_KEY for AI generation. No unrelated credentials or broad system secrets are requested.

✓ Persistence & Privilege

The skill does not request permanent/always-on privileges (always: false). It does not attempt to modify other skills or system-wide config beyond reading a per-user OpenClaw config file (~/.openclaw/openclaw.json) if present.

版本历史

v1.0.13

- No file changes detected in this version. - Documentation and feature set remain unchanged from the previous release.

v1.0.12

- Added example blog draft and screenshots: blog-draft.md, blog-published.png, feishu-credentials.png, feishu-request.png, feishu-success.png - Added Python bytecode file for publish script: scripts/__pycache__/publish.cpython-312.pyc

v1.0.11

- No code or documentation changes were detected in this version. - Skill functionality and documentation remain unchanged.

v1.0.10

- No user-facing changes in this release. - No file changes detected; documentation and functionality remain unchanged.

v1.0.9

- No changes detected in this release. - All features and documentation remain the same as the previous version.

v1.0.8

- Added documentation and instructions for optional AI content generation via OpenAI and Kimi APIs. - Improved clarity and structure in the overview and authentication sections. - Updated example usage to include AI-powered blogging scenarios. - Enhanced documentation of the diagram generation process and security considerations. - No changes to code; documentation updates only.

v1.0.7

- Added a new "Security Considerations" section to SKILL.md, detailing browser download, temporary files, sandboxing, and plaintext password storage. - No code or functionality changes; documentation update only.

v1.0.6

No changes detected in this version.

v1.0.5

No changes detected in this version. - No file or documentation updates. - Functionality and usage remain unchanged.

v1.0.4

- No file changes detected in this version. - No new features, fixes, or documentation updates included. - This release preserves the current functionality and documentation.

v1.0.3

- Expanded documentation of authentication methods, detailing OpenClaw config, environment variables, and runtime parameters. - Introduced a clear priority order for credential sources. - Improved security guidance with file permission and credential handling best practices. - Updated capabilities and example usages for clarity. - No changes to code or core functionality.

v1.0.2

Version 1.0.2 of bear-blog-publisher - No file changes detected in this release. - Functionality remains unchanged from the previous version.

v1.0.1

- Updated security approach: recommends using credentials only for the session or environment variables instead of storing passwords in plaintext config files. - Improved instructions for providing credentials, clarifying they are not stored. - Revised description to highlight support for both AI-generated and user-provided content. - Streamlined usage steps and examples for clarity. - Removed the requirement and details about saving credentials in config files.

v1.0.0

Initial release with auto-publish, diagram generation, and flexible auth

元数据

Slug bear-blog-publisher

版本 1.0.13

许可证 —

累计安装 1

当前安装数 0

历史版本数 14

常见问题