← 返回 Skills 市场
POST AI Automation
作者
nyamiresepdapur-droid
· GitHub ↗
· v1.0.0
379
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install postai-automation
功能描述
Automate TikTok and Instagram video creation and scheduled posting from one product image using POST AI with customizable styles, captions, and performance t...
安全使用建议
This skill appears to implement the advertised video-generation and upload workflow, but several issues need attention before you run it:
- Expect to provide sensitive credentials: POST AI API key and TikTok/Instagram cookie files/session_id. The code reads them from config.json (plaintext). Prefer storing secrets in environment variables or a secure keyring rather than a repo file.
- Registry metadata did NOT declare these credentials or Python requirements — that's an inconsistency. Treat the package as requiring Python 3.8+ and manual credential configuration.
- SKILL.md references scripts that are missing (previews.py, daily_post.py, track_performance.py). The package has placeholders (TODO) for actual TikTok/Instagram upload logic. The upload functions currently simulate behavior; real browser automation or API calls would need additional dependencies and credentials.
- config.example.json contains a JSON syntax error (malformed posting_schedule entry). Fix the example before copying to config.json.
- Review how cookies/session_id are obtained and stored. Exporting full browser cookies can expose other accounts; only extract the minimum tokens needed and store them securely.
- Audit the code paths that download images (arbitrary URLs) and run subprocesses — run in an isolated environment (container or VM) and avoid running with elevated privileges.
- Verify the legitimacy of POST AI (postai.myscalev.com / api.postai.com) and costs before entering payment/keys.
If you decide to use it: run it in a sandbox, fix the config example, move secrets out of repo files, and manually inspect/complete the upload implementation (or replace with a vetted library) before scheduling automatic runs.
功能分析
Type: OpenClaw Skill
Name: postai-automation
Version: 1.0.0
The skill is classified as suspicious primarily due to a Server-Side Request Forgery (SSRF) vulnerability in `scripts/batch_process.py`. The `download_image` function uses `urllib.request.urlopen(url)` where the `url` is directly taken from the `image_url` column in the input CSV, allowing an attacker to potentially make the agent request arbitrary internal network resources or local files. Additionally, the skill handles highly sensitive credentials like social media session IDs and cookie file paths (e.g., `tiktok_cookies.json`) which, while necessary for its stated purpose, presents a significant attack surface if exploited. There are no clear indicators of intentional malicious behavior like data exfiltration to unauthorized endpoints or prompt injection against the agent.
能力评估
Purpose & Capability
The skill claims to automate POST AI video generation and posting — the scripts implement that workflow and require a POST AI API key plus TikTok/Instagram cookies/session_id. However, the registry metadata declared no required environment variables or credentials while package.json lists Python requirements; the metadata therefore under-represents needed secrets and runtime requirements. This mismatch is unexpected and reduces transparency.
Instruction Scope
SKILL.md instructs storing API keys and browser cookies/session_id in config.json and running scripts (generate, auto_upload, batch_process). The scripts read config.json directly and will download images from arbitrary URLs and may run browser automation (TODO notes). The SKILL.md references additional scripts (previews.py, daily_post.py, track_performance.py) that are not present in the package — this is incoherent. Storing session cookies and session_id in a config file is sensitive and the instructions do not recommend safer alternatives (e.g., env vars, OS keyring).
Install Mechanism
There is no install spec (instruction-only plus Python scripts). No remote downloads or installers are executed by the skill itself. That limits supply-chain risk compared to arbitrary URL downloads, but the package assumes a Python runtime and will invoke subprocesses and network calls.
Credentials
The skill requires POST AI API credentials and TikTok/Instagram cookie files/session_id (sensitive tokens) stored in config.json; these are proportionate to an uploader but the registry metadata did not declare them. The config.example.json itself contains mistakes (malformed JSON) and reveals that sensitive data will be stored in plaintext files by default — a potential secret-exposure risk. No primary credential is declared in metadata.
Persistence & Privilege
always:false and default model-invocation are used (normal). The skill writes temp files, outputs, and a batch_summary.jsonl in its skill directory and suggests adding a cron job; it does not request elevated system privileges or alter other skills. Still, because it can be scheduled to run unattended and uses account cookies/API keys, autonomous operation increases blast radius if credentials are mishandled.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install postai-automation - 安装完成后,直接呼叫该 Skill 的名称或使用
/postai-automation触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
POST AI Automation 是什么?
Automate TikTok and Instagram video creation and scheduled posting from one product image using POST AI with customizable styles, captions, and performance t... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 379 次。
如何安装 POST AI Automation?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install postai-automation」即可一键安装,无需额外配置。
POST AI Automation 是免费的吗?
是的,POST AI Automation 完全免费(开源免费),可自由下载、安装和使用。
POST AI Automation 支持哪些平台?
POST AI Automation 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 POST AI Automation?
由 nyamiresepdapur-droid(@nyamiresepdapur-droid)开发并维护,当前版本 v1.0.0。
推荐 Skills