ClawHub

Weibo Publisher

v2.0.0

Publish posts to Weibo (Sina Weibo) using browser automation. Use when the user wants to post content to Weibo, share updates on Weibo, publish microblogs, o...

0· 581·7 current·7 all-time
by@azfliao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the implementation: the skill automates Weibo via the managed browser and the included scripts and SKILL.md show the expected browser actions. However the package metadata declares no required config paths or credentials while the runtime docs and script explicitly read/write a state file under the user's OpenClaw workspace (~/.openclaw/workspace/memory/weibo-state.json / memory/weibo-state.json). That config-path usage is proportional to the skill's purpose but is not declared in the registry metadata (inconsistency).
!
Instruction Scope
SKILL.md and examples instruct the agent to use the managed browser profile (openclaw), take snapshots, click/type elements, and update a state JSON file. Troubleshooting docs include OS-level commands (ps, pkill) and examples reference fully automated hourly posting and generating content from trending topics. These are plausible for a posting tool but expand the agent's scope to operate on a logged-in browser session, write files in the user's workspace, and—if used as shown—enable automated periodic posting. The troubleshooting shell commands and system-level suggestions give the agent potential to run broader system commands than strictly necessary for a single post.
Install Mechanism
No install spec (instruction-only with one reference script). Nothing is downloaded or installed by the skill itself, which minimizes installation risk.
Credentials
The skill does not request environment variables or external credentials, which is consistent with its browser-based approach. However it requires access to a logged-in managed browser profile (cookies/session) and writes to a state file under the user's OpenClaw workspace; those accesses should be considered sensitive because the skill will act using the account already logged into the browser. That access is necessary for its function but should be a conscious consent decision by the user.
Persistence & Privilege
always:false (no forced persistence). The skill includes examples and a pattern for automated/scheduled hourly posting (heartbeat/automation). Because model invocation is not disabled, an agent could invoke this skill autonomously; combined with the automated-posting examples, that enables periodic posting without further human action. This behavior is plausible for a publisher tool but increases the blast radius and requires explicit user trust and configuration.
What to consider before installing
What to check before installing: - Confirm you trust the managed browser session: the skill uses the platform's logged-in browser profile (profile="openclaw") and will post using whatever account is currently logged in. If you don't want the skill to use your account, don't install or don't leave that profile logged in. - Expect local file writes: the skill reads/writes a state file (memory/weibo-state.json and the script uses ~/.openclaw/workspace/...). If you need to audit or restrict where it writes, ask the author to declare the exact path in the metadata or modify the path to a controlled location. - Automated posting risk: examples show hourly/automated posting and content-generation patterns. If you do not want autonomous or scheduled posts, ensure the agent's policies disallow automatic invocation of this skill or do not enable scheduling workflows. - Troubleshooting commands are powerful: docs suggest running ps/pkill and other system commands for debugging. Those are normal for troubleshooting but they increase operational risk if executed indiscriminately—avoid executing such commands unless you understand the effects. - Metadata mismatch: the package metadata did not declare the config path or other runtime file usage. Ask the publisher to update the registry metadata to list required config paths and a clear privacy/security statement explaining what browser/session data and local files will be accessed. If you want to proceed: run the included reference script in a controlled test environment first (with a non-critical Weibo account), confirm behavior, and restrict agent autonomy or scheduling until you're satisfied with the skill's actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk978m0h4h3d0wqkqyexxw9xpj5824ja6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments