Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Toutiao Publish
v6.1.0自动发布内容到今日头条(微头条/文章)。触发词:发头条、发布头条、微头条、今日头条、发文章、写头条。支持 AI 推荐图片插入正文、免费正版图片库封面、完整文章自动化发布。
⭐ 5· 882·8 current·8 all-time
bySheldon.li@axdlee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Functionality (automating mp.toutiao.com publish flow via browser automation and JS injection) matches the stated purpose. However the registry metadata lists no required binaries or environment needs while README/SKILL.md and the shipped scripts clearly require a 'browser' CLI, Chrome/Chromium, Node.js/Python and a CDP-capable browser — the missing declared dependency is an incoherence that could hide runtime surprises.
Instruction Scope
Runtime instructions repeatedly use browser.act evaluate to run arbitrary JavaScript inside the publishing page (setting innerHTML, dispatching events, clicking UI elements). That is necessary for automation, but it also gives the skill the ability to read or manipulate any data visible in the page context (profile info, tokens in DOM, etc.). The SKILL.md also requests file read/write, network to mp.toutiao.com and localhost, and shell access (to run a local http.server) — these broaden the scope and increase the risk of data exposure if the scripts are modified or misused.
Install Mechanism
There is no remote install step (no downloads), and all code is included in the package (shell scripts and docs). That reduces supply-chain risk, but the package contains executable shell scripts that will invoke the 'browser' CLI and spawn/expect local services. The absence of an explicit install spec is acceptable but you should review and audit the included scripts before running them.
Credentials
The registry lists no required environment variables or credentials (reasonable because the skill uses your logged-in browser session), yet SKILL.md declares permissions for fileRead/fileWrite, network and shell. Requesting file and shell access is plausible for serving local images via an HTTP server, but these capabilities are powerful and not justified in detail by the description. The skill does not ask for explicit API keys, but it will act using whatever Toutiao session is present in the browser — meaning it operates with your account privileges.
Persistence & Privilege
The skill is not marked always:true and does not request to modify other skills or system-wide settings. It runs on demand and its persistence/privilege level is reasonable for a user-invoked browser automation skill.
What to consider before installing
This skill automates publishing by running JavaScript inside your logged-in Toutiao browser session and by invoking a local 'browser' CLI and optional local HTTP server. Before installing: (1) verify you trust the author and read the included scripts (publish-toutiao.sh, test-publish.sh) line-by-line; (2) confirm you have the required tooling (a CDP-capable Chrome/Chromium and the 'browser' CLI) — the registry metadata does not list these dependencies; (3) run tests in a separate, disposable browser profile or isolated environment to avoid publishing accidental content or exposing sensitive cookies; (4) don't give this skill access to sensitive local files or shared browser profiles; and (5) if you cannot audit the code yourself, treat it as risky because evaluate() calls can be modified to exfiltrate data visible to the page. If those concerns are acceptable and you audit the scripts, the skill's actions are consistent with its stated purpose.Like a lobster shell, security has layers — review code before you run it.
automationvk975vptgrgzh7b7a8b88k8k591826y81browservk975vptgrgzh7b7a8b88k8k591826y81contentvk975vptgrgzh7b7a8b88k8k591826y81latestvk97c0r67peajd80fdxkxgyz56n8298xqpublishvk975vptgrgzh7b7a8b88k8k591826y81toutiaovk975vptgrgzh7b7a8b88k8k591826y81
License
MIT-0
Free to use, modify, and redistribute. No attribution required.