Article Publisher
v1.5.1自媒体文章多平台发布工具,支持知乎、Bilibili、百家号、头条号、小红书等平台的一键发布。使用Playwright实现浏览器自动化,支持扫码登录和Cookie持久化。
⭐ 1· 350·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (multi-platform article publishing via Playwright) matches the provided code and README: adapters for Zhihu, Bilibili, Toutiao, Baijiahao, Xiaohongshu; browser automation logic; cookie management. There are no unrelated requested credentials, binaries, or config paths.
Instruction Scope
SKILL.md instructs user/agent to run npm install and 'npx playwright install chromium' and to perform QR code login. The runtime code manipulates page DOM, clicks buttons, uploads local files (cover images), and saves cookies locally. These behaviors are within the stated purpose, but they do mean the skill will access local files (images provided by the user) and persist authentication cookies on disk—both are sensitive operations that are, however, expected for a browser automation publisher.
Install Mechanism
No opaque remote download URLs are embedded in the registry metadata or SKILL.md. package.json depends on the official 'playwright' npm package and includes standard 'npx playwright install' commands (with an optional mirror override in scripts). This is a normal install flow for Playwright and not an arbitrary archive download from a personal server.
Credentials
The skill declares no required environment variables or external credentials. It operates via QR login and cookie persistence, which is appropriate. There are no unexpected SECRET/TOKEN env var requests in metadata. The main sensitivity is cookies and any local files the user supplies (cover images).
Persistence & Privilege
The skill is not force‑always included and uses normal autonomous invocation settings. It persists cookies locally (CookieManager usage visible in code), which is expected for reusing login sessions but is a form of local persistence — it does not request or modify other skills' configurations.
Assessment
This package appears to be what it says: a Playwright-based publisher that automates a real browser. Before installing, consider:
- It will require running 'npm install' and 'npx playwright install chromium', which will download Playwright and a Chromium binary. Use a network/host you trust.
- The tool drives a browser and will persist login cookies locally via its CookieManager. Treat the cookie files as sensitive (don't share them). If you are uncomfortable, review the cookie-manager implementation to see where cookies are stored and consider storing them in a secure location.
- When uploading cover images the code uses local file paths (setInputFiles). The skill will read any file paths you provide—do not supply files you consider sensitive.
- Because the skill automates your browser sessions, avoid running it with accounts holding high-value data unless you audit the code fully and/or use a disposable account or isolated environment.
- The repository has no external or obfuscated download links in the provided files, but you should still inspect the full code (especially cookie-manager and auto-install modules) before trusting production credentials.
If you want extra caution: run it in a VM/container or with a throwaway account first, or inspect/modify the code to change cookie storage behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk975zdfc9bjnmy2sp98h2cd5fn83gcd7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.