toutiaoAutoPublish
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: toutiao-auto-publish Version: 1.0.0 The skill is a legitimate automation tool designed to publish content to the Toutiao (今日头条) platform using Playwright. It functions by connecting to a local Chrome instance via remote debugging to leverage existing login sessions. The script (toutiao_publish.py) performs transparent UI automation, including handling image uploads and providing status screenshots on the user's desktop. While it possesses the capability to post on the user's behalf, there is no evidence of data exfiltration, credential theft, or hidden malicious logic. A minor discrepancy exists between the documentation (port 9222) and the code (port 18800), which appears to be a configuration oversight rather than a security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Toutiao post may be published under the user's account with text the user did not write or approve.
The script can publish a built-in default message or append additional text to short user-provided content, changing the public post content without an explicit review step in the artifacts.
if content is None:
content = DEFAULT_CONTENT
...
if len(content) < 100:
content += "\n\n作为一个人工智能助手,我正在学习如何使用各种平台和工具。今日头条是一个很好的内容创作和分享平台..."Require explicit user-supplied content and a final confirmation showing the exact post text and images before publishing; remove default posting text and automatic padding.
The skill can act as the logged-in user on Toutiao and uses a powerful browser-control channel rather than a narrowly scoped permission.
The script connects to an existing Chrome debugging session and reuses its browser context, which can include the user's logged-in Toutiao session and potentially broader browser state.
browser = p.chromium.connect_over_cdp("http://localhost:18800")
print("✅ 已连接到本地 Chrome 浏览器")
context = browser.contexts[0] if browser.contexts else browser.new_context()Use a dedicated isolated Chrome profile for Toutiao publishing, declare the browser-session requirement clearly, and make the target account and exact action visible before posting.
The user may modify their Python environment or install browser automation components outside a managed skill installer.
The skill requires manual package/browser installation that is not represented in an install spec or pinned dependency set; this is expected for Playwright automation but should be more controlled.
pip3 install playwright --break-system-packages playwright install chromium
Provide a proper install specification, pin dependency versions, and prefer a virtual environment instead of `--break-system-packages`.
The automated browser may hide prompts or UI elements that a user would otherwise see before posting.
The script injects JavaScript into the Toutiao page to alter the UI. This is common in browser automation, but it bypasses normal page controls and should be visible to the user.
page.evaluate('''
() => {
// 关闭所有弹窗
document.querySelectorAll('.byte-drawer-mask, .publish-assistant-old, [class*="drawer"]').forEach(el => {
el.style.display = 'none';
});
}
''')Avoid suppressing UI prompts unless necessary, and add a visible final confirmation step before any publish action.