Typecho Blog Publish
v2.0.0通过 XML-RPC 自动发布文章到 Typecho 博客。支持文件读取、草稿模式、标签管理、智能配图。
⭐ 0· 103·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (publish to Typecho via XML-RPC) match the shipped scripts (publish_post.py, publish_v2_full.py, upload_image.py, manage.py, etc.). Required binary (python3) and primaryEnv (BLOG_PASSWORD) are appropriate and expected for this functionality. No unrelated cloud credentials or unexpected system paths are requested.
Instruction Scope
SKILL.md and other docs instruct the agent to read Markdown files, a local .env, run the included Python scripts, upload images, download images from external image services (Pexels/Unsplash/LoremFlickr/etc.), and call the Typecho XML-RPC endpoint — all within the declared purpose. However, the documentation is inconsistent about publish defaults: some docs state 'default draft mode' while QUICKSTART/README_V2 mention 'v2.0 default directly publish (immediate)'. This mismatch could lead to unexpected public posts if a user assumes draft-only behavior. Also note that the scripts perform network calls (blog server + third-party image hosts) and will read/write local files (logs, temp images).
Install Mechanism
No install spec is provided (instruction-only install), and all code is included in the package. There are no network install steps that would download and execute arbitrary archives during install, so installation risk is low. The package does include many scripts and example articles which will be present on disk when installed.
Credentials
The skill requires the blog password (BLOG_PASSWORD) and optionally BLOG_URL, BLOG_USERNAME, BLOG_XMLRPC — these are proportionate to an XML-RPC publisher. There are no unrelated secrets requested. The skill will read a local .env and local article files (expected).
Persistence & Privilege
Flags show always:false and model invocation allowed (default). The skill does not request permanent platform-wide privileges. Scripts will write local logs and can create/delete posts via XML-RPC (manage.py supports deletion) — appropriate for a blog management tool but worth being aware of.
Assessment
This package is coherent with its stated purpose, but take these precautions before installing or running it: 1) Treat BLOG_PASSWORD as a high-value secret — prefer an app-specific password and store .env with strict permissions (chmod 600). 2) Verify the publish mode in your installed copy: test on a staging Typecho instance (set BLOG_URL to a test server) to confirm whether scripts publish immediately or only save drafts, because docs conflict about the default. 3) Audit the publish and upload scripts (publish_post.py, publish_v2_full.py, upload_image.py, manage.py) to confirm they call only your blog's XML-RPC endpoint and to understand delete behavior. 4) Be aware the skill downloads images from external hosts (Unsplash/Pexels/LoremFlickr/etc.) and uploads binaries to your blog — check licensing and network use. 5) Run initial tests against a non-production blog to avoid accidental public posts or unwanted deletions. 6) If you want extra safety, remove or disable any automatic 'publish now' code paths or add a forced --draft flag in the scripts before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97faz8pb8mk9v0h71m4k6kcvd84506q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📝 Clawdis
Binspython3
Primary envBLOG_PASSWORD