← 返回 Skills 市场
toutiao-publish-docx
作者
charlesliu-sap
· GitHub ↗
· v1.0.0
· MIT-0
100
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install toutiao-publish-docx-v1
功能描述
用 Cookie 或已保存会话在头条号后台发布文章,支持标题/正文/图片与固定目录 docx 导入。当用户要自动发头条文章、传入 cookie_header 或要求按 docx 流程发布时调用。
安全使用建议
This skill appears to do what it says (automate publishing to Toutiao), but there are important mismatches you should address before installing or running it:
- Missing declarations: SKILL.md uses the TOUTIAO_COOKIE environment variable and specific project paths (/home/ubuntu/projects/toutiao_poster and artifact directories), but the skill metadata lists no required env vars or config paths. Confirm where cookies/sessions will be stored and whether the platform will pass TOUTIAO_COOKIE if you provide one.
- Verify the runtime environment: The instructions assume a Python project and virtualenv at /.venv and a module named toutiao_poster. If that code is not present on the host, the commands will fail. If it is present, inspect that code before running — it will have filesystem access to the referenced directories.
- Protect secrets: A cookie header grants access to the user's account—only supply cookies you trust and only run this on a dedicated, non-shared environment. Do not paste browser cookies in untrusted consoles.
- Filesystem risk: The skill reads/moves files under absolute paths. If you run it on a shared machine, ensure those paths don't contain unrelated sensitive data. Prefer running in an isolated VM/container with minimal other data.
- Improve metadata before use: Ask the publisher to declare required env vars (TOUTIAO_COOKIE, optional TOUTIAO_IMAGE_DIR) and required config paths in the registry metadata so the permission surface is explicit.
If you cannot verify the presence and content of the toutiao_poster project or cannot ensure a dedicated environment, avoid using this skill or run it only after code inspection and environment hardening.
功能分析
Type: OpenClaw Skill
Name: toutiao-publish-docx-v1
Version: 1.0.0
The skill bundle is designed to automate article publishing on the Toutiao platform, but it is classified as suspicious due to a significant shell injection vulnerability. The instructions in SKILL.md direct the AI agent to construct and execute shell commands by directly embedding user-provided inputs (like 'title' and 'content') into command strings, which could allow an attacker to execute arbitrary code on the host system. Furthermore, the skill requires the handling of sensitive session cookies (TOUTIAO_COOKIE), which increases the potential impact of such an exploit.
能力评估
Purpose & Capability
The name/description (publish to 头条 using cookie or saved session, support docx import) aligns with the runtime instructions (commands to run toutiao_poster). However the instructions assume a preexisting Python project and runtime environment at /home/ubuntu/projects/toutiao_poster and a module toutiao_poster; the registry metadata lists no required files or env vars, which is inconsistent with what the skill actually expects to run.
Instruction Scope
SKILL.md directs the agent to read and move files in fixed absolute paths (images/docx/artifacts under /home/ubuntu/projects/...), to save screenshots to those artifact directories, and to use a TOUTIAO_COOKIE environment variable. Those filesystem accesses and env-var usage are not declared and go beyond a simple API integration; the instructions assume local filesystem and session files exist and instruct modifying them (moving processed files to done/).
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Because it contains no packaged install steps, nothing would be written by the skill itself at install time. The runtime commands, however, assume existing installed code/software.
Credentials
Although the registry lists no required env vars, the SKILL.md shows use of TOUTIAO_COOKIE and allows overriding image/docx directories via env vars (TOUTIAO_IMAGE_DIR). Requesting and using cookies to authenticate is expected for this purpose, but the omission from declared requirements is an inconsistency. The skill will also read arbitrary files under the project path — access that could expose other artifacts if the environment is shared.
Persistence & Privilege
always is false and there is no indication the skill requests permanent or elevated platform privileges. It does instruct moving files under its own project directories, which is normal for a local automation script.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install toutiao-publish-docx-v1 - 安装完成后,直接呼叫该 Skill 的名称或使用
/toutiao-publish-docx-v1触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Toutiao-publish v1.0.0 — Initial Release
- Allows posting articles (title, text, images, or docx import) to Toutiao using a cookie or saved session.
- Supports fully automated publishing with user-provided `cookie_header`, or falls back to saved session.
- Handles direct text/image posting and fixed-directory docx or image auto-import (with automatic archiving after success).
- Includes configurable wait time for docx parsing (`docx_wait_seconds`).
- Saves process screenshots for troubleshooting; describes common failure modes and recovery steps.
元数据
常见问题
toutiao-publish-docx 是什么?
用 Cookie 或已保存会话在头条号后台发布文章,支持标题/正文/图片与固定目录 docx 导入。当用户要自动发头条文章、传入 cookie_header 或要求按 docx 流程发布时调用。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 100 次。
如何安装 toutiao-publish-docx?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install toutiao-publish-docx-v1」即可一键安装,无需额外配置。
toutiao-publish-docx 是免费的吗?
是的,toutiao-publish-docx 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
toutiao-publish-docx 支持哪些平台?
toutiao-publish-docx 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 toutiao-publish-docx?
由 charlesliu-sap(@charlesliu-sap)开发并维护,当前版本 v1.0.0。
推荐 Skills