ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tumblr Auto Post

v1.0.0

自动生成傅盛风格文章和封面图,一键发布到 Tumblr。每次运行时会依次询问主题、目标读者、写作目标、期望长度、内容偏好,确认后自动发布。

0· 64·0 current·0 all-time
byGuangxianLiu@lgx-00

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for lgx-00/tumblr-auto-post.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Tumblr Auto Post" (lgx-00/tumblr-auto-post) from ClawHub.
Skill page: https://clawhub.ai/lgx-00/tumblr-auto-post
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: python3, uv
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install tumblr-auto-post

ClawHub CLI

Package manager switcher

npx clawhub@latest install tumblr-auto-post
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's purpose is to let a user generate and publish posts to Tumblr, but the code includes hard-coded Tumblr OAuth credentials (consumer secret, access token, token secret) and a fixed BLOG_NAME (remoneofcourse). It does not provide a way for a user to supply their own Tumblr credentials. That means posts created by running this skill will go to the embedded account, not the user's account — inconsistent with the stated purpose.
!
Instruction Scope
SKILL.md states the workflow asks five questions then 'directly publishes' with no extra confirmation; the script indeed auto-posts once run. This automatic publish behavior can cause unintended public posts. SKILL.md also mentions GEMINI_API_KEY for image generation, but the script uses 'uv' to call a generate_image.py script and does not reference GEMINI_API_KEY — an inconsistency between docs and code.
Install Mechanism
This is an instruction-only skill with a single Python script and no install spec, which limits on-disk installation risk. It does require python3 and 'uv' on PATH; 'uv' is used to run an external image generator script if available.
!
Credentials
requires.env is empty, but the code embeds full OAuth secrets (consumer secret and access token secret). Asking for no credentials while shipping working credentials for a third-party account is disproportionate and suspicious. The script does not read user-provided env vars, so you cannot easily redirect posting to your account without editing the script.
Persistence & Privilege
The skill is not configured as always:true and does not modify other skills or system-wide configs. It runs only when invoked, but its automatic publish behavior increases risk of unintended actions when run.
What to consider before installing
Do not install or run this skill unless you understand and accept that it will post content to the embedded Tumblr account (remoneofcourse) using hard-coded OAuth credentials. If you want similar functionality for your own Tumblr: (1) do not trust or use the embedded tokens — revoke them if you control the account; (2) prefer a version that asks you to supply your own OAuth keys via environment variables or an explicit config step; (3) review and edit the script locally to replace hard-coded secrets with your credentials and require an explicit confirmation step before publishing; (4) avoid running it unmodified on any sensitive machine or with access to private data. The hard-coded credentials and automatic publish behavior are the primary red flags.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📝 Clawdis
Binspython3, uv
latestvk978vjq6c93k6bb41jh1nnk1hh859gdn
64downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
GuangxianLiu@lgx-00
latest
Download

Tumblr Auto Post

自动生成傅盛风格文章 + 封面图,发布到 Tumblr。

配置(已预置)

Tumblr 账号:remoneofcourse
Consumer Key:6hFfvv3WkP46yy6Bgif9f8n0rOhli7eOTHOnBJ07PXk7njZrYK
Access Token:55OHtil3amJeXLDnTGknXgCGJD7SLM0f09LaS7c0fTkV7w7vAS

完整对话流程(自动模式)

第1步:询问主题

"想发什么主题?"

第2步:询问目标读者

"目标读者是谁?"

  • 新手(零基础,需要通俗易懂)
  • 从业者(有基础,讲内行门道)
  • 泛用户(普通读者,故事感优先)

第3步:询问写作目标

"写作目标是什么?"

  • 涨粉(标题党、结构化、引发共鸣)
  • 转化(行动号召、痛点共鸣)
  • 品牌表达(价值观输出、专业背书)
  • 观点输出(有态度、有争议、引发讨论)

第4步:询问期望长度

"期望多长?"

  • 短文:800-1200字
  • 中长文:1500-2500字

第5步:询问内容偏好

"内容需要哪些元素?"

  • 数据支撑
  • 真实案例
  • 金句
  • 小标题
  • 全部都要

第6步:自动生成并发布 根据以上输入生成完整文章 → 生成封面图(如有 GEMINI_API_KEY)→ 直接发布到 Tumblr → 返回文章链接

无需额外确认,5个问题回答完毕即触发发布

傅盛写作风格特点

  • 开头:用一个具体场景、困惑或痛点引出主题
  • 结构:用"为什么"和"是什么"驱动思考
  • 类比:把商业/技术概念用生活化的例子讲清楚
  • 态度:观点鲜明,不回避矛盾
  • 结尾:总结 + 给出一个可执行的行动建议
  • 数据:用数据支撑论点,但不堆砌数字

文章模板

根据主题和目标读者定制化生成:

  1. 场景切入(一个具体问题或现象)
  2. 点出矛盾(大多数人的误区)
  3. 三点论述(方向、节奏、接受不完美)
  4. 总结升华 + 行动引导

命令行

python3 ~/.openclaw/workspace/skills/tumblr-auto-post/scripts/tumblr_post.py "主题"

注意

  • 图片生成需要 GEMINI_API_KEY(可选,跳过后以纯文本发布)
  • 封面图生成需要 uv(已安装)+ GEMINI_API_KEY
  • 回答完5个问题后自动发布,无需二次确认

Comments

Loading comments...