Toutiao Publisher
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Toutiao publishing tool, but it stores a logged-in session and can publish headlessly using anti-detection browser automation.
Install only if you are comfortable giving the skill a persistent logged-in Toutiao browser session. Prefer visible, interactive mode, require the agent to show you the final article before posting, and clear the saved authentication data when you no longer need the skill.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could publish content to the user's Toutiao account without the user seeing the final article in the browser.
This documents headless automation of a logged-in publishing workflow, including local content and image upload, with no explicit final confirmation requirement before public posting.
You can fully automate the publishing process by providing arguments: ... --content "article.md" --cover "assets/cover.jpg" --headless
Use only with explicit per-article approval, avoid headless mode for first or sensitive posts, and require the agent to show the final title/content/cover before publishing.
The user's Toutiao account may be flagged, restricted, or used in ways that violate platform expectations.
The skill explicitly configures browser automation to evade platform bot-detection controls, which is riskier than ordinary user-visible browser automation.
**Anti-Detection**: Uses `patchright`'s stealth features to avoid bot detection.
Confirm that this automation is allowed for the account, prefer visible interactive publishing, and avoid stealth/headless operation unless the platform permits it.
Anyone or any process with access to the skill data directory may be able to reuse the saved Toutiao session.
The skill stores reusable logged-in session material locally so future runs can access the Toutiao account without another login.
Cookies and storage state are saved to `data/browser_state/state.json`.
Install only on a trusted machine, protect the skill directory, and use the provided clear-auth/logout flow when finished or on shared systems.
The skill may download and run third-party packages/browser components before publishing.
On first run, the skill can install Python dependencies and a Chrome browser binary through Patchright, even though the registry lists no install spec.
[str(self.venv_pip), "install", "-r", str(self.requirements_file)] ... "-m", "patchright", "install", "chrome"
Review the pinned requirements, run in an isolated environment if possible, and make sure dependency downloads come from trusted package sources.