← 返回 Skills 市场
toutiao-publish
作者
charlesliu-sap
· GitHub ↗
· v1.0.0
· MIT-0
182
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install toutiao-publish-docx
功能描述
用 Cookie 或已保存会话在头条号后台发布文章,支持标题/正文/图片与固定目录 docx 导入。当用户要自动发头条文章、传入 cookie_header 或要求按 docx 流程发布时调用。
安全使用建议
Before installing or using this skill: 1) Confirm you actually have the project at /home/ubuntu/projects/toutiao_poster (or adjust paths) and a working .venv; this skill has no installer. 2) Treat TOUTIAO_COOKIE as a secret: only provide cookies you control and understand that the local script will use them to authenticate; do not paste production account cookies unless you trust the host. 3) Verify and restrict file permissions on the image/docx/artifacts directories — the script will read, upload, and move files there. 4) Ask the publisher for the source code or a homepage and installation instructions so you can audit what the Python module does (network calls, logging, error handling). 5) If you plan to run this in a different environment, update the SKILL.md paths and document required env vars (TOUTIAO_COOKIE, TOUTIAO_IMAGE_DIR) so requirements and metadata match. If you cannot verify the above, avoid providing cookies or running this skill on sensitive accounts.
功能分析
Type: OpenClaw Skill
Name: toutiao-publish-docx
Version: 1.0.0
The skill bundle contains a significant shell injection vulnerability in SKILL.md. The instructions guide the AI agent to construct bash commands by directly inserting user-provided strings (such as title, content, and cookie_header) into single-quoted shell arguments. This pattern is highly susceptible to exploitation if the input contains single quotes or other shell metacharacters, potentially allowing arbitrary command execution on the host system. While the stated purpose of automating Toutiao posts is plausible, the insecure command construction poses a high security risk.
能力评估
Purpose & Capability
The name/description (publish to Toutiao using cookie or saved session, support docx import) matches the runtime steps. However the SKILL.md assumes a preinstalled project at /home/ubuntu/projects/toutiao_poster with a .venv and specific artifact directories; the registry metadata declares no install steps or required env vars — so the skill will only work where that exact layout exists. This is plausible for a private server deployment but is an undeclared dependency.
Instruction Scope
The instructions tell the agent to cd into a fixed path and run a local Python module, read and upload images/docx from specific absolute directories, archive files to done/, and save screenshots to artifacts/. Those file I/O and move operations are all within the posting workflow, but the doc explicitly references environment variables (TOUTIAO_COOKIE, TOUTIAO_IMAGE_DIR) and saved session files that are not listed in metadata. The SKILL.md also assumes headless automation and clicking UI elements — this requires the host to have the necessary runtime and credentials.
Install Mechanism
This is an instruction-only skill with no install spec or code. That limits supply-chain risk (nothing is downloaded by the skill), but it shifts risk to assumptions about a preinstalled project and environment which are undocumented.
Credentials
Metadata lists no required env vars, but SKILL.md uses TOUTIAO_COOKIE (sensitive browser cookie string) and optionally TOUTIAO_IMAGE_DIR. Asking users to supply browser cookies is expected for session-based posting, but the mismatch between declared requirements and the actual sensitive inputs is an incoherence to surface: the skill can cause sensitive cookie data to be used and transmitted by the local script, and it will read/move files under several absolute paths.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It will perform local file operations (moving posted images/docx to done/ and writing screenshots in artifacts/), which is expected behavior for this tool but means it needs filesystem privileges in those directories. No elevated platform privileges are requested via metadata.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install toutiao-publish-docx - 安装完成后,直接呼叫该 Skill 的名称或使用
/toutiao-publish-docx触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
initial submit
元数据
常见问题
toutiao-publish 是什么?
用 Cookie 或已保存会话在头条号后台发布文章,支持标题/正文/图片与固定目录 docx 导入。当用户要自动发头条文章、传入 cookie_header 或要求按 docx 流程发布时调用。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 182 次。
如何安装 toutiao-publish?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install toutiao-publish-docx」即可一键安装,无需额外配置。
toutiao-publish 是免费的吗?
是的,toutiao-publish 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
toutiao-publish 支持哪些平台?
toutiao-publish 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 toutiao-publish?
由 charlesliu-sap(@charlesliu-sap)开发并维护,当前版本 v1.0.0。
推荐 Skills