ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Weibo Microblogging CLI

v1.0.1

Use Weibo Open Platform for OAuth2 authentication, timeline retrieval, topic search, and structured social sentiment collection. Trigger this skill when task...

1· 674·8 current·10 all-time
by@oscraters
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, declared binaries (bash, curl, python3), and required env vars (WEIBO_APP_KEY, WEIBO_APP_SECRET, WEIBO_REDIRECT_URI) align with an OAuth2-based Weibo CLI. The companion Brave-search code is provided as a distinct sub-skill and documented as a fallback, which matches expectations.
!
Instruction Scope
The SKILL.md and scripts provide appropriate commands for OAuth flow and standard Weibo endpoints. However, the CLI's 'call' command accepts full absolute URLs (not just /2/ paths) and will automatically attach WEIBO_ACCESS_TOKEN if present; this means a user or an autonomous agent could be directed to call an arbitrary external endpoint and inadvertently transmit sensitive tokens. The docs do not prominently warn about that leakage vector.
Install Mechanism
No install spec (instruction-only with shipped scripts). That minimizes supply-chain risk. The repo files are plain shell and Python code with no external downloads or archive extraction.
Credentials
Requested env vars are proportional to stated functionality: app key/secret and redirect URI for OAuth; optional WEIBO_ACCESS_TOKEN for pre-issued-token workflows. Companion BRAVE_SEARCH_API is declared only in the weibo-brave-search sub-skill. The project docs and remediation plan explicitly call out secret-handling practices. Still, automatic use of WEIBO_ACCESS_TOKEN in arbitrary 'call' invocations increases the chance of secret leakage if env secrets are not tightly managed.
Persistence & Privilege
No elevated persistence requested: always is false, no install hooks or changes to other skills' config. The skill does not request system-wide configuration changes.
What to consider before installing
This skill appears to implement the Weibo OAuth and API calls it claims, but review these points before installing or enabling it: 1) Use SecretRef or your external secret manager for WEIBO_APP_SECRET (the repo already recommends this). Do not commit secrets. 2) Be careful with WEIBO_ACCESS_TOKEN: the CLI will attach it to requests automatically — avoid setting that env var in long-lived/shared environments unless needed. 3) The 'call' command accepts absolute URLs and will include access tokens if present; do not use it against untrusted endpoints (it can leak tokens). Prefer explicit /2/... paths and double-check target URLs. 4) If you do not want the Brave fallback, keep weibo-brave-search disabled or treat it as a separate skill; its credential (BRAVE_SEARCH_API) is declared separately. 5) Inspect scripts (scripts/weibo_cli.sh and weibo-brave-search/scripts/weibo_search.py) yourself and consider adding local guards (e.g., disallow non-Weibo URLs or require explicit --allow-external flag) if you plan to run this in autonomous workflows. If you want higher assurance, ask the publisher to add an explicit warning about the 'call' behavior and a guard that prevents tokens being sent to non-Weibo domains.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsbash, curl, python3
EnvWEIBO_APP_KEY, WEIBO_APP_SECRET, WEIBO_REDIRECT_URI
Primary envWEIBO_APP_SECRET
latestvk972hr83snnj2qw365cg51f7xn8231e4
674downloads
1stars
2versions
Updated 9h ago
v1.0.1
MIT-0
@oscraters
latest
Download

Weibo

Use this skill to collect Weibo signals with reproducible Weibo Open Platform API calls and CLI automation.

Quick Start

  1. Review references/api_guide.md for current official endpoints and constraints.
  2. Provide credentials through OpenClaw skill config or secure environment injection.
  3. Generate an authorization URL: bash scripts/weibo_cli.sh oauth-authorize-url
  4. Exchange code for a token: bash scripts/weibo_cli.sh oauth-access-token --code "<code>"
  5. Call endpoints: bash scripts/weibo_cli.sh public-timeline --count 20

Primary Interface

Use the Bash CLI first:

  • scripts/weibo_cli.sh: OAuth2 + direct API command interface, optimized for agentic runs.

Optional companion skill:

  • weibo-brave-search: separate fallback skill for site:weibo.com search through Brave Search API.

Recommended Workflow

  1. Validate provider requirements in references/api_guide.md.
  2. Run oauth-authorize-url, open URL, capture code.
  3. Run oauth-access-token --code ... and store token securely.
  4. Use endpoint helpers (public-timeline, user-timeline, search-topics) or call.
  5. If API access is blocked and you explicitly want a separate commercial fallback, use the weibo-brave-search skill instead of this one.

CLI Command Surface

  • oauth-authorize-url
  • oauth-access-token --code <code>
  • oauth-token-info
  • public-timeline [--count N] [--page N]
  • user-timeline --uid <uid> [--count N]
  • search-topics --q <query>
  • call --method GET --path /2/... --param key=value

Run bash scripts/weibo_cli.sh --help for details.

Credentials And Secret Handling

Credential classes:

VariableRequiredSensitiveUsed for
WEIBO_APP_KEYYesNoOAuth client identifier
WEIBO_APP_SECRETYesYesOAuth token exchange
WEIBO_REDIRECT_URIYesNoOAuth callback
WEIBO_ACCESS_TOKENOptionalYesAuthenticated API calls after token issuance

OpenClaw configuration guidance:

  1. Set skills.entries.weibo.apiKey to a SecretRef or plaintext value only for WEIBO_APP_SECRET, because this skill declares WEIBO_APP_SECRET as its primaryEnv.
  2. Set skills.entries.weibo.env.WEIBO_APP_KEY and skills.entries.weibo.env.WEIBO_REDIRECT_URI as regular env config.
  3. If you want pre-issued token flows, set skills.entries.weibo.env.WEIBO_ACCESS_TOKEN from your external secret manager or deployment environment.

Warnings:

  • WEIBO_APP_SECRET and WEIBO_ACCESS_TOKEN are sensitive and must not be committed.
  • OpenClaw's documented SecretRef audit path covers skills.entries.<skillKey>.apiKey; it does not give the same visibility for arbitrary ad hoc env vars.
  • If you inject WEIBO_ACCESS_TOKEN through plain environment variables, store it in your external secrets manager or deployment environment and do not treat it as registry-managed unless you have configured it that way intentionally.
  • This skill makes network calls to https://api.weibo.com.

Notes

  • Prefer JSON output for downstream automation.
  • Keep requests minimal and paginated to reduce rate-limit pressure.
  • Use the official docs linked in references/api_guide.md as source of truth when endpoint behavior conflicts with old SDK examples.

Comments

Loading comments...