← 返回 Skills 市场
739
总下载
1
收藏
8
当前安装
2
版本数
在 OpenClaw 中安装
/install weibo
功能描述
Use Weibo Open Platform for OAuth2 authentication, timeline retrieval, topic search, and structured social sentiment collection. Trigger this skill when task...
安全使用建议
This skill appears to implement the Weibo OAuth and API calls it claims, but review these points before installing or enabling it: 1) Use SecretRef or your external secret manager for WEIBO_APP_SECRET (the repo already recommends this). Do not commit secrets. 2) Be careful with WEIBO_ACCESS_TOKEN: the CLI will attach it to requests automatically — avoid setting that env var in long-lived/shared environments unless needed. 3) The 'call' command accepts absolute URLs and will include access tokens if present; do not use it against untrusted endpoints (it can leak tokens). Prefer explicit /2/... paths and double-check target URLs. 4) If you do not want the Brave fallback, keep weibo-brave-search disabled or treat it as a separate skill; its credential (BRAVE_SEARCH_API) is declared separately. 5) Inspect scripts (scripts/weibo_cli.sh and weibo-brave-search/scripts/weibo_search.py) yourself and consider adding local guards (e.g., disallow non-Weibo URLs or require explicit --allow-external flag) if you plan to run this in autonomous workflows. If you want higher assurance, ask the publisher to add an explicit warning about the 'call' behavior and a guard that prevents tokens being sent to non-Weibo domains.
功能分析
Type: OpenClaw Skill
Name: weibo
Version: 1.0.1
The skill is classified as suspicious due to a Server-Side Request Forgery (SSRF) vulnerability in `scripts/weibo_cli.sh`. The `cmd_call` function allows the execution of `curl` requests to arbitrary URLs specified via the `--path` argument, which could be exploited by a malicious actor or a compromised agent to perform unauthorized network requests. While the skill's stated purpose is legitimate and its documentation (including `OPENCLAW_SECRETS_REMEDIATION_PLAN.md`) demonstrates strong security awareness and transparency, this vulnerability represents a significant risk without clear evidence of intentional malicious design.
能力评估
Purpose & Capability
Name, description, declared binaries (bash, curl, python3), and required env vars (WEIBO_APP_KEY, WEIBO_APP_SECRET, WEIBO_REDIRECT_URI) align with an OAuth2-based Weibo CLI. The companion Brave-search code is provided as a distinct sub-skill and documented as a fallback, which matches expectations.
Instruction Scope
The SKILL.md and scripts provide appropriate commands for OAuth flow and standard Weibo endpoints. However, the CLI's 'call' command accepts full absolute URLs (not just /2/ paths) and will automatically attach WEIBO_ACCESS_TOKEN if present; this means a user or an autonomous agent could be directed to call an arbitrary external endpoint and inadvertently transmit sensitive tokens. The docs do not prominently warn about that leakage vector.
Install Mechanism
No install spec (instruction-only with shipped scripts). That minimizes supply-chain risk. The repo files are plain shell and Python code with no external downloads or archive extraction.
Credentials
Requested env vars are proportional to stated functionality: app key/secret and redirect URI for OAuth; optional WEIBO_ACCESS_TOKEN for pre-issued-token workflows. Companion BRAVE_SEARCH_API is declared only in the weibo-brave-search sub-skill. The project docs and remediation plan explicitly call out secret-handling practices. Still, automatic use of WEIBO_ACCESS_TOKEN in arbitrary 'call' invocations increases the chance of secret leakage if env secrets are not tightly managed.
Persistence & Privilege
No elevated persistence requested: always is false, no install hooks or changes to other skills' config. The skill does not request system-wide configuration changes.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install weibo - 安装完成后,直接呼叫该 Skill 的名称或使用
/weibo触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Split Weibo web search fallback into a new companion skill (`weibo-brave-search`), focusing this skill solely on official Weibo API.
- Overhauled credential instructions with a new section on secret handling, clarifying required variables and OpenClaw integration.
- Updated skill description and metadata for clearer scope and environment configuration.
- Added new companion and secret remediation documentation files; removed bundled web search fallback script.
- CLI usage, workflow, and command set remain unchanged.
v1.0.0
Weibo Skill v1.0.0 – Initial Release
- Supports OAuth2 authentication and access token management for Weibo Open Platform.
- Provides Bash CLI for direct API calls: public timeline, user timeline, and topic search.
- Includes web search fallback script for Weibo trend signals when API access is unavailable.
- Structured workflow outline for credential setup, token retrieval, and endpoint usage.
- Emphasizes automation-friendly, reproducible commands with JSON output and official doc references.
元数据
常见问题
Weibo Microblogging CLI 是什么?
Use Weibo Open Platform for OAuth2 authentication, timeline retrieval, topic search, and structured social sentiment collection. Trigger this skill when task... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 739 次。
如何安装 Weibo Microblogging CLI?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install weibo」即可一键安装,无需额外配置。
Weibo Microblogging CLI 是免费的吗?
是的,Weibo Microblogging CLI 完全免费(开源免费),可自由下载、安装和使用。
Weibo Microblogging CLI 支持哪些平台?
Weibo Microblogging CLI 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Weibo Microblogging CLI?
由 oscraters(@oscraters)开发并维护,当前版本 v1.0.1。
推荐 Skills