ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bili Article Poster

v1.0.0

B站(哔哩哔哩)专栏文章自动投稿技能。支持:(1) 多样化话题发现(AI+编程/职场/机器人/游戏/科技) (2) 搜索Reddit/Verge等行业媒体 (3) 深度重组内容生成文章 (4) 自动填写标题/正文/图片/话题/声明/保存草稿。触发场景:(1) 用户要求发布B站文章 (2) 需要根据热门话题自动生成内容

0· 95·1 current·1 all-time
byOldYoung@oldyoungcn
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md align with the stated purpose (finding topics, generating articles, uploading to B站 using Playwright and user cookies). However there are mismatches: SKILL.md says the Brave API key should be configured in ~/.openclaw/openclaw.json, yet topic-discovery.js contains a hard-coded Brave API key. The skill also implicitly requires curl and Node/Playwright even though no binaries or install spec are declared.
!
Instruction Scope
Runtime instructions and the scripts access local files with specific absolute paths (/home/ubuntu/.openclaw/workspace/*), expect a user-provided bilibili_cookies.json (contains authentication cookies), launch browsers (Playwright), perform network searches, and download arbitrary images. The references file includes a clipboard-based JS snippet that, if executed by a user in their browser, would copy document.cookie (sensitive) — the SKILL.md points to that snippet as a debugging helper. The scripts download external URLs and write files to disk; these behaviors go beyond just 'filling a form' and involve fetching remote content and handling credentials (cookies).
!
Install Mechanism
No install spec is provided (instruction-only), which reduces surface area, but the code depends on Node.js, Playwright, and curl. The script uses child_process.execSync to call curl with -k (skip SSL verification) and passes image URLs directly into the shell command — this is risky because it allows command injection if a URL contains shell metacharacters and also silently accepts invalid TLS certificates.
!
Credentials
No required env vars are declared, yet SKILL.md references a Brave API key in ~/.openclaw/openclaw.json and the code contains an embedded API key ('BSAX4o9UDvUsPruQ3jQ-y14-plgXuzf'). The skill requires a bilibili_cookies.json file containing the user's session cookies — appropriate for automated posting but sensitive. Hard-coded third-party API keys and reliance on plaintext cookie files are disproportionate and raise confidentiality and provenance concerns.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges. It may use a persistent browser profile under /home/ubuntu/.openclaw/workspace/bili-profile, but it does not modify other skills or agent-wide configuration. Autonomous invocation is allowed by default (platform normal).
What to consider before installing
What to consider before installing: - The skill will require your B站 session cookies (bilibili_cookies.json) or a browser profile to log in; providing these grants the skill the ability to act as your account. Only proceed if you trust the code and its maintainer. - The topic-discovery script contains a hard-coded Brave API key (BSAX4o9...), which is inconsistent with the SKILL.md claim that you should configure your own key. Hard-coded keys may be abused by others or indicate copied/leftover credentials—treat this as suspicious. - The code downloads images using curl via execSync and curl -k (skipping SSL verification). This both tolerates insecure TLS and passes unvalidated URLs into a shell command, creating a risk of command injection if URLs are maliciously crafted. Consider replacing curl exec calls with a safe HTTP client (e.g., node https/got) and validating/whitelisting URLs. - The references file includes a clipboard-based JS snippet that, if you run it in a logged-in browser, will copy document.cookie — that leaks your session cookies. Do NOT run that snippet unless you understand the risk. - Recommended mitigations: review and/or remove the hard-coded API key; ensure Brave API key is provided by you via a secure config; replace execSync curl calls with safe, URL-sanitizing HTTP code; run the skill in an isolated environment or throwaway account; inspect downloaded images before uploading; do not store bilibili cookies in insecure shared locations. If you want, I can produce a safer patch list for the scripts (remove execSync, read API key from config, validate image URLs, and explicit required binaries) or enumerate exact lines that are risky.
scripts/topic-discovery.js:122
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fn67z4s7gnvg011b6arqt5x83vg8c
95downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
OldYoung@oldyoungcn
latest
Download

B站专栏投稿自动化

完整工作流(两步完成)

# Step 1: 发现热门话题 + 生成高质量文章
cd /home/ubuntu/.openclaw/workspace && node skills/bili-article-poster/scripts/topic-discovery.js

# Step 2: 自动投稿到B站
cd /home/ubuntu/.openclaw/workspace && node skills/bili-article-poster/scripts/bili-poster.js

工作流程详解

Step 1: 话题发现 + 文章生成 (topic-discovery.js)

1. 多样化话题发现

  • Brave Search API 搜索 AI+多个方向 的热门话题
  • 话题方向:AI+编程、AI+职场、AI+机器人、AI+游戏、AI+科技
  • 自动避免连续两天选择相同主题
  • 来源:Reddit r/gamedev、r/programming、r/LocalLLaMA、Verge、GamesIndustry.biz等

2. 深度搜索

  • 对最热门话题进行深度内容挖掘
  • 搜索相关报道、开发者观点、行业报告

3. 智能文章生成(核心)

  • 分析热门关键词、提及公司、关键数据
  • 文章质量标准
    • 结构清晰:开篇现象 → 数据证据 → 趋势分析(多层) → 深度解读 → 启发思考 → 金句结语
    • 内容饱满:约28段,充分展开每个观点
    • 逻辑缜密:有现象、有分析、有数据、有启发,不夸大
    • 阅读舒畅:段落之间有承接,语气自然流畅
  • 输出:标题 + 正文 + 话题 + 配图路径

4. 配图搜索与下载

  • 根据文章主题动态生成3个不同的图片搜索词
  • 避免重复使用之前用过的图片
  • 随机选择搜索结果,增加图片多样性
  • 验证图片格式(JPEG/PNG/GIF)

5. 话题历史记录

  • 自动记录最近7天使用的话题和图片搜索词
  • 下次生成时自动去重,避免主题和图片重复

Step 2: B站自动投稿 (bili-poster.js)

前提条件

  1. Cookie: /home/ubuntu/.openclaw/workspace/bilibili_cookies.json
  2. 配图: /home/ubuntu/.openclaw/workspace/article_images/
  3. 文章内容: /home/ubuntu/.openclaw/workspace/article_content.json

投稿流程

  1. 加载 bilibili_cookies.json 自动登录
  2. 进入草稿列表,点击编辑
  3. 填写标题和正文
  4. 上传3张配图(开头/中部/末尾位置)
  5. 智能话题设置:根据文章关键词自动选择最热话题
  6. 勾选创作声明(原创 + AI辅助)
  7. 保存草稿
  8. 浏览器保持打开,用户手动发布

文章质量标准(核心要求)

每次生成文章必须满足:

结构标准

开篇 → 现象引入(用具体故事或现象切入)
数据 → 证据支撑(行业数据、公司案例)
分析 → 趋势解读(分层次、多角度)
深度 → 本质思考(什么没变、核心逻辑)
启发 → 实践建议(分别给不同群体的建议)
结语 → 金句收尾(简洁有力)

内容标准

  • 每篇文章至少 25段 以上
  • 包含 至少1个具体数据至少2个公司/产品案例
  • 对比分析(什么变了、什么没变)
  • 分层递进(不是平铺直叙)
  • 启发思考(不是纯信息堆砌)
  • 不夸大(实事求是,不煽情)
  • 不啰嗦(每个观点说透即止)

前提条件

  1. Brave API Key: 已配置在 ~/.openclaw/openclaw.json
  2. Cookie: /home/ubuntu/.openclaw/workspace/bilibili_cookies.json
  3. Node.js + Playwright

文件结构

skills/bili-article-poster/
├── SKILL.md              # 本文件
├── scripts/
│   ├── topic-discovery.js  # 热门话题发现 + 文章生成
│   ├── bili-poster.js      # B站自动投稿
│   └── cover-only.js       # 封面专用(可选)
├── references/
│   └── bili-editor-tech.md
└── article_content.json   # 生成的文章内容(运行时生成)

历史记录文件

/home/ubuntu/.openclaw/workspace/article_topic_history.json   # 话题历史(7天)
/home/ubuntu/.openclaw/workspace/article_image_history.json   # 图片搜索历史(20条)

调试

# 清理Chrome进程
killall -9 chrome chromium

# 查看截图
ls -lt /home/ubuntu/.openclaw/workspace/bili_*.png

# 查看生成的文章
cat /home/ubuntu/.openclaw/workspace/article_content.json

# 查看话题历史
cat /home/ubuntu/.openclaw/workspace/article_topic_history.json

Comments

Loading comments...