Toutiao Publisher
v1.0.1Publish articles to Toutiao (Today's Headlines). Handles persistent authentication (login once) and session management. Opens browser for interactive publish...
⭐ 1· 544·5 current·5 all-time
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included code and SKILL.md: scripts implement interactive and automated browser publishing to mp.toutiao.com, persistent auth, and session management. Required capabilities (Playwright-like automation via patchright, storage of state.json) are expected for this purpose. Minor inconsistency: run.py lists a 'cleanup_manager.py' in help output that is not present in the bundle (harmless but sloppy).
Instruction Scope
SKILL.md only instructs running the included scripts to authenticate, publish, check status, and clear auth. The runtime instructions/CLI map to the bundled scripts and reference only the Toutiao domain and local files under the skill (data/browser_state, .venv). There are no instructions to read unrelated system files or environment variables. Note: the skill persists cookies/localStorage to data/browser_state/state.json (sensitive data).
Install Mechanism
The registry has no install spec, but the bundled setup_environment.py will create a .venv, pip-install requirements (patchright, python-dotenv) and invoke 'python -m patchright install chrome' which downloads/installs Chromium/Chrome components. This is expected for a Playwright-style automation tool, but it will perform network downloads and write binaries to disk — consider trust of the packages (patchright) and network activity during setup.
Credentials
The skill requests no environment variables or external credentials. It persistently stores browser state (cookies/localStorage) and an auth_info.json under the skill's data directory — this is appropriate for maintaining session state but constitutes sensitive account data that will reside on disk. No unrelated credentials or config paths are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It creates a local .venv and writes browser state/auth files under its data directory (expected behavior). Autonomous invocation is allowed by default (platform normal) — consider whether you want the agent to run automated headless publishing without human confirmation.
Assessment
This skill appears to do what it says: it automates a browser to publish to Toutiao and saves login state locally. Before installing, consider: 1) The setup script will create a .venv and pip-install packages (including 'patchright') and will download Chrome/Chromium runtime — only proceed if you trust those packages and are comfortable with network downloads. 2) The tool saves authentication cookies and localStorage to data/browser_state/state.json and auth_info.json in the skill directory; treat these files like credentials and store them securely or delete them when you no longer need the skill. 3) Because the skill includes anti-detection/stealth features, be aware it is intentionally designed to mimic human behavior; that is coherent with the purpose but increases the impact if misused. 4) If you plan to let an agent call this autonomously, restrict it from publishing sensitive or unintended content — consider requiring manual confirmation before any automated publish. 5) The skill owner is unknown and there is no homepage; if you need higher assurance, run the setup in an isolated environment (VM/container), audit the 'patchright' package and the code, or only run the interactive (non-headless) workflows so you can observe actions.Like a lobster shell, security has layers — review code before you run it.
latest
Toutiao Publisher Skill
Manage Toutiao (Today's Headlines) account, maintain persistent login session, and publish articles.
When to Use This Skill
Trigger when user:
- Asks to publish to Toutiao/Today's Headlines
- Wants to manage Toutiao login
- Mentions "toutiao" or "头条号"
Core Workflow
Step 1: Authentication (One-Time Setup)
The skill requires a one-time login. The session is persisted for subsequent uses.
# Browser will open for manual login (scan QR code)
python scripts/run.py auth_manager.py setup
Instructions:
- Run the setup command.
- A browser window will open loading the Toutiao login page.
- Log in manually (e.g., scan QR code).
- Once logged in (redirected to dashboard), the script will save the session and close.
Step 2: Publish Article
# Opens browser with authenticated session at publish page
python scripts/run.py publisher.py
Instructions:
- Run the publisher command.
- Browser opens directly to the "Publish Article" page.
- Write and publish the article manually.
- Press
Ctrl+Cin the terminal when done.
Note: Toutiao requires titles to be 2-30 characters. This tool automatically optimizes titles to fit this constraint (truncating if >30, padding if <2).
Advanced Usage (Automated)
You can fully automate the publishing process by providing arguments:
# Publish with title, content file, and cover image
python scripts/run.py publisher.py --title "AI Trends 2025" --content "article.md" --cover "assets/cover.jpg" --headless
Management
# Check authentication status
python scripts/run.py auth_manager.py status
# Clear authentication data (logout)
python scripts/run.py auth_manager.py clear
Technical Details
- Persistent Auth: Uses
patchrightto launch a persistent browser context. Cookies and storage state are saved todata/browser_state/state.json. - Anti-Detection: Uses
patchright's stealth features to avoid bot detection. - Environment: Automatically manages a virtual environment (
.venv) with required dependencies.
Script Reference
scripts/auth_manager.py: Handles login, session validation, and state persistence.scripts/publisher.py: Launches authenticated browser for publishing.scripts/run.py: Wrapper ensuring execution in the correct virtual environment.
Comments
Loading comments...