← 返回 Skills 市场

Social Media Auto

Name: Social Media Auto
Author: linzmin

作者 linzmin · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

252

总下载

当前安装

版本数

在 OpenClaw 中安装

/install social-media-auto

功能描述

自媒体内容生成技能 - 热点抓取 + AI 创作 + 多平台适配

安全使用建议

What to consider before installing: - Expect this skill to contact external Alibaba Cloud services (mcporter / 阿里云 MCP) for both trending search and AI generation. The package metadata does not declare any credentials — you should only install if you understand and trust how you will provide mcporter/Aliyun credentials (and preferably configure them in a controlled environment). - The scripts call `npx mcporter ...` at runtime. `npx` can fetch packages on first run (supply-chain risk). If you don't want dynamic downloads, review and preinstall required tooling and pin versions. - The code uses child_process.execSync with string interpolation of user input (e.g. the --topic value). That is a command-injection hazard if you or other automated systems pass untrusted input into these scripts. Avoid running these scripts with untrusted inputs, or sanitize/escape arguments before use. - The SKILL.md included a prompt-injection-like artifact (unicode-control-chars). Inspect SKILL.md and the included files for any hidden characters or instructions that could alter behavior. - If you decide to try it: run it in a sandboxed environment (container or VM) first, inspect/verify mcporter configuration, and avoid running the test script or fetch/generate on any system containing sensitive credentials. If you need this functionality but want lower risk, ask the author to: declare required env vars, document mcporter setup, avoid shell interpolation (use child_process with argument arrays or a proper SDK), and pin any external dependencies.

功能分析

Type: OpenClaw Skill Name: social-media-auto Version: 1.0.0 The skill bundle contains a shell injection vulnerability in 'scripts/generate-content.js' and 'scripts/fetch-trending.js'. User-provided input from the '--topic' argument is directly interpolated into a shell command executed via 'execSync' to call an external MCP tool (npx mcporter). While the overall logic for social media content generation appears legitimate and aligned with the stated purpose, the lack of input sanitization allows for arbitrary command execution. No evidence of intentional malice, data exfiltration, or persistence was found.

能力评估

⚠ Purpose & Capability

The skill description says it uses 阿里云 MCP for search and AI generation and the scripts indeed call `npx mcporter call ...`, yet the registry metadata declares no required environment variables or primary credential. A user would reasonably expect this skill to require configuration/credentials for mcporter/Aliyun; the absence of declared env requirements is incoherent.

⚠ Instruction Scope

SKILL.md instructs running the included scripts (fetch/generate/format/save). The scripts perform network calls via `npx mcporter` and spawn shell commands with execSync. User-supplied inputs (e.g. --topic) are interpolated into shell commands without escaping, creating a local command-injection risk if untrusted inputs are used. The instructions do not warn about required mcporter configuration, nor about network traffic to external AI/search services.

ℹ Install Mechanism

There is no package-install spec (instruction-only install), and the included install.sh only checks for Node.js, chmods files and creates directories (low risk). However, runtime uses `npx` which may download packages on first use (transient supply-chain risk). No remote arbitrary archive downloads are present in the repo itself.

⚠ Credentials

The code relies on external cloud tooling (mcporter/阿里云 MCP) but the skill declares no env vars/credentials. That mismatch is concerning: the scripts will try to use mcporter (which typically requires authentication/config) and may fail or prompt the environment to provide secrets; the skill should have declared required credentials or document how mcporter should be configured.

✓ Persistence & Privilege

The skill does not request elevated platform privileges (always:false), does not autonomously persist beyond writing drafts/data within its own directory, and does not modify other skills or global agent config.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install social-media-auto
安装完成后，直接呼叫该 Skill 的名称或使用 /social-media-auto 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

- 首个版本发布，提供全功能自媒体内容生成工具 - 支持微博热搜和知乎热榜自动抓取 - 一键 AI 生成内容，支持多语气、多长度 - 自动适配公众号、小红书、抖音三大平台格式 - 内置草稿管理和版本控制功能 - 提供清晰模板与脚本化操作流程

元数据

Slug social-media-auto

版本 1.0.0

许可证 MIT-0

累计安装 3

当前安装数 2

历史版本数 1

常见问题

Social Media Auto 是什么？

自媒体内容生成技能 - 热点抓取 + AI 创作 + 多平台适配. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 252 次。

如何安装 Social Media Auto？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install social-media-auto」即可一键安装，无需额外配置。

Social Media Auto 是免费的吗？

是的，Social Media Auto 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Social Media Auto 支持哪些平台？

Social Media Auto 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Social Media Auto？

由 linzmin（@linzmin）开发并维护，当前版本 v1.0.0。