Baoyu Post To Weibo
ReviewAudited by ClawScan on May 11, 2026.
Overview
The skill mostly matches its Weibo-posting purpose, but it explicitly uses logged-in Chrome automation to bypass anti-bot detection and runs OS-level clipboard/keystroke commands.
Before installing, make sure you are comfortable letting the skill drive a logged-in Chrome session and use your clipboard/keystrokes to compose Weibo content. Use a dedicated Chrome profile, review all text and media in the browser before clicking publish, avoid switching apps while it runs, and prefer a trusted local Bun installation over the npx fallback.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this may put the user's Weibo account or content at risk if Weibo treats the automation as evasion, even though the artifact says the final publish click is manual.
The skill advertises browser automation specifically as a way to bypass anti-bot detection while preparing public social-media posts.
Posts text, images, videos, and long-form articles to Weibo via real Chrome browser (bypasses anti-bot detection).
Install only if you are comfortable with browser automation against Weibo. Keep the manual review step, avoid using it to evade platform protections, and consider using a dedicated Weibo account/profile.
Anyone or any agent process using the same configured Chrome profile could compose content under the logged-in Weibo account.
The skill relies on a saved browser session to act as the user's logged-in Weibo account.
First run: log in to Weibo manually (session saved)
Use a dedicated Chrome profile for this skill, review the browser before publishing, and log out or remove the profile if you no longer want the skill to have account access.
If focus is wrong, the skill could paste article content or images into an unintended application.
The helper runs OS automation commands to send paste keystrokes to the frontmost or targeted application.
const result = spawnSync('osascript', ['-e', script], { stdio: 'pipe' });Watch the browser while the skill runs, avoid switching apps during paste steps, and stop the run if the wrong application is focused.
Running through npx may fetch runtime code from the package registry at execution time.
If Bun is not installed, the documented runtime fallback can download and run a package via npx. This is a common setup pattern but relies on external package provenance.
if `bun` installed → `bun`; if `npx` available → `npx -y bun`
Prefer installing Bun from a trusted source and review or preserve the provided lockfile for the script dependencies.