← 返回 Skills 市场
2691
总下载
0
收藏
1
当前安装
7
版本数
在 OpenClaw 中安装
/install tootbot
功能描述
Publish content to Mastodon. Use when you need to post a Mastodon status.
安全使用建议
Do not install or run this skill blindly. Specific things to check before using it:
- Verify the source and publisher: the registry metadata lists no homepage and the owner id is unfamiliar.
- Expect to provide MASTODON_URL and MASTODON_ACCESS_TOKEN; only do so if you trust the skill and have verified the script.
- Inspect the full scripts/tootbot.js in a safe environment (or ask the author for readable source). The file is large and minified — consider requesting an unminified repository reference or source review.
- Validate the access token's scope (create a token with minimal scope needed for posting) and consider using a throwaway/test account first.
- Run the script in an isolated container or sandbox and monitor network calls (to confirm it only talks to the configured Mastodon instance).
- If you cannot review the code or verify provenance, treat this skill as untrusted and avoid supplying your real Mastodon access token.
功能分析
Type: OpenClaw Skill
Name: tootbot
Version: 0.5.0
The skill is classified as suspicious due to two main factors: 1) The `scripts/tootbot.js` file allows local file access for media uploads (e.g., `"file": "/path/to/foo.png"`). While necessary for its stated purpose, this capability could be exploited if the AI agent is prompted to provide a sensitive file path. 2) The `SKILL.md` contains instructions like `Read the output and summarize it for the user.`, which represents a generic prompt injection vector. Although the script's output is controlled JSON from the Mastodon API, a malicious API response could potentially be crafted to influence the agent's subsequent actions during summarization. There is no clear evidence of intentional harmful behavior from the skill developer, but these capabilities introduce elevated risks.
能力评估
Purpose & Capability
The SKILL.md and README clearly state this is a Mastodon publisher that requires the bun runtime and two env vars (MASTODON_URL, MASTODON_ACCESS_TOKEN). The skill registry metadata (requirements section) however lists no required binaries or env vars — that mismatch is incoherent: a Mastodon publisher legitimately needs the access token and a runtime (bun).
Instruction Scope
Runtime instructions are narrowly scoped to posting statuses and attaching media files (reading files referenced by the 'media.file' paths). However the script is included and minified/obfuscated, so its actual runtime behavior is hard to verify; it could read additional files or environment variables beyond what's documented. The SKILL.md itself does not instruct reading unrelated system files, but the included code could.
Install Mechanism
There is no install specification (instruction-only), but a 496 KB bundled/minified script is included and intended to be executed with bun. Shipping a large minified script with no source mapping makes manual review difficult and increases risk because arbitrary logic will be executed when run.
Credentials
The documented runtime requires MASTODON_URL and MASTODON_ACCESS_TOKEN (sensitive credentials) but the declared registry requirements list none. This is a concrete mismatch: the skill asks for sensitive credentials without declaring them. Users should treat any request for an access token as high-sensitivity and verify scope and origin first.
Persistence & Privilege
The skill does not request always:true and does not declare persistent installation behavior. The agent is allowed to invoke the skill autonomously (platform default). Combined with the presence of sensitive credentials and an opaque script, autonomous invocation would increase potential impact if the script misbehaves.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tootbot - 安装完成后,直接呼叫该 Skill 的名称或使用
/tootbot触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.5.0
tootbot 0.5.0
- Switched implementation to use Bun instead of Node.js.
- Updated usage to accept JSON input; supports batch posting of multiple statuses.
- Added support for more flexible media attachments via JSON objects.
- Expanded trigger phrases to include "publish status to mastodon".
- Provided guidance for required environment variables (MASTODON_URL, MASTODON_ACCESS_TOKEN).
v0.4.1
- Removed the "Environment Variables" section from SKILL.md to streamline configuration details.
- No functional or code changes; documentation only.
v0.4.0
- Added documentation for required environment variables: MASTODON_URL and MASTODON_ACCESS_TOKEN.
- No functional changes; documentation update only.
v0.3.1
- Switched runtime requirement from Bun to Node.js; commands now use node instead of bun.
- Updated installation note and command examples to reflect the change to Node.js.
- Metadata updated to require "node" binary, not "bun".
- All usages, options, and functionality remain unchanged.
v0.3.0
- Version bumped to 0.3.0.
- No file or documentation changes detected in this release.
v0.2.0
- No visible changes in this release; documentation and code remain unchanged.
v0.1.0
- Initial release of Mastodon Publisher skill for posting updates, posts, or media to Mastodon.
- Provides CLI usage with support for status text, scheduling, visibility, language, quote approval policy, and media attachments.
- Supports posting scheduled statuses, private/unlisted/direct posts, and posts with or without media.
- Requires Bun to be installed and available in the system PATH.
元数据
常见问题
Tootbot 是什么?
Publish content to Mastodon. Use when you need to post a Mastodon status. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2691 次。
如何安装 Tootbot?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tootbot」即可一键安装,无需额外配置。
Tootbot 是免费的吗?
是的,Tootbot 完全免费(开源免费),可自由下载、安装和使用。
Tootbot 支持哪些平台?
Tootbot 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Tootbot?
由 behrangsa(@behrangsa)开发并维护,当前版本 v0.5.0。
推荐 Skills