ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

weibo-auto-post

v1.0.0

微博自动发布 skill。通过 PIL 生成配图(温暖风/科技感/深夜风/对比卡)→ 剪贴板粘贴图片 → 浏览器自动化发布。触发场景:帮我发微博、发布定时微博、生成微博配图、设置微博定时发布任务。

1· 48·0 current·0 all-time
byAppleASugar@apple-sugar-xing

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for apple-sugar-xing/weibo-auto-post.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "weibo-auto-post" (apple-sugar-xing/weibo-auto-post) from ClawHub.
Skill page: https://clawhub.ai/apple-sugar-xing/weibo-auto-post
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install weibo-auto-post

ClawHub CLI

Package manager switcher

npx clawhub@latest install weibo-auto-post
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description (Weibo auto-post with image generation) matches the included scripts (make_card.py and publish.py). However SKILL.md claims Playwright installation is required while the actual publish.py uses pyautogui/pyperclip and PowerShell; that's an incoherence. The package makes hardcoded Windows-specific path assumptions (C:\Users\13113\..., D:\QClaw_workspace) but the registry metadata declares no OS restriction—this is inconsistent and surprising.
!
Instruction Scope
Runtime instructions and the cron payload ask the agent to: search web hot topics, read and write a local execution-record file (D:\QClaw_workspace\weibo_plan_v2.md), manipulate the GUI (screenshot, click, paste), and delete files in specific local directories. The cron guide explicitly instructs reading/writing a local file and using system PowerShell commands—operations outside a minimal posting scope and not declared in metadata.
Install Mechanism
No install spec (instruction-only) and no network downloads—lower install risk. But SKILL.md instructs running `playwright install chromium` while code doesn't use Playwright; dependencies (Pillow, pyautogui, pyperclip) are required but not declared. Missing/incorrect dependency guidance is a practical risk (and an incoherence).
!
Credentials
The skill declares no required env vars or config paths but the cron guide and scripts assume access to and modification of specific local paths (C:\Users\13113\Pictures, $env:TEMP, D:\QClaw_workspace\weibo_plan_v2.md). It also uses the logged-in browser session (cookies/credentials in the browser). Hardcoded file operations and deletion commands (Remove-Item) are disproportionate and should have been declared or parameterized.
Persistence & Privilege
always:false (good). However the skill includes a cron example that would let the agent autonomously perform scheduled posts and modify local files. GUI automation (mouse/keyboard control, screenshots, file deletion) combined with autonomous invocation increases blast radius—exercise caution enabling scheduled/automatic runs.
What to consider before installing
Things to consider before installing or enabling this skill: - Inconsistencies: SKILL.md tells you to install Playwright, but the code uses pyautogui/pyperclip and PowerShell. Confirm and install only the actual dependencies (Pillow, pyautogui, pyperclip) and remove misleading instructions. - Windows-only assumptions: The scripts and cron examples use Windows paths (C:\Users\..., D:\...) and PowerShell commands but the skill metadata does not restrict OS. Don’t run on non-Windows systems; on Windows, inspect and adapt hardcoded paths to your environment. - Local-file access: The cron guide instructs reading/writing D:\QClaw_workspace\weibo_plan_v2.md and the scripts delete C:\Users\13113\Pictures\weibo_*.png and temp screenshots. If that path is not yours, the script may fail or, if modified, could delete files unexpectedly. Require the skill to use configurable paths instead of hardcoded ones. - GUI automation risks: publish.py uses pyautogui to click/type based on screen coordinates and will control your desktop (including taking screenshots). Run initial tests in a controlled environment (virtual machine or an isolated user session) and avoid enabling scheduled autonomous runs until you’ve verified behavior. - Credentials: The skill relies on an already logged-in browser; it does not request explicit credentials. Be aware that it will act using whatever browser session is active (cookies), so revoke or isolate the account if you do not trust automated posting. - Recommended changes before use: (1) Parameterize all local paths and declare them in metadata; (2) remove or fix the Playwright reference; (3) add OS restriction to Windows if intended; (4) replace hardcoded delete commands with safer cleanup that confirms targets and uses configurable directories; (5) avoid automatic scheduling until you have tested manually. If you are not comfortable auditing or running these scripts locally, do not enable scheduled/autonomous execution and consider running the code only in an isolated VM or test account.

Like a lobster shell, security has layers — review code before you run it.

latestvk977y60cangxm6x69g5cep4tcd851vna
48downloads
1stars
1versions
Updated 1w ago
v1.0.0
MIT-0
AppleASugar@apple-sugar-xing
latest
Download

Weibo Auto Post

全自动微博发布 workflow:内容创作 → 配图生成 → 浏览器发布 → 临时文件清理

发布流程

Step 1:生成配图

python <skill_dir>/scripts/make_card.py --text "微博文案内容" --style warmth --output "C:\Users\13113\Pictures\weibo_card.png"

支持的风格(--style):

  • warmth:温暖生活风,橙色调,1080×1350,适合日常/职场话题
  • tech:科技感深色风,深蓝底+金色字,适合AI工具/身份标签内容
  • midnight:深夜风,深色背景+蓝绿渐变,适合深夜互动话题
  • contrast:左右对比卡(红vs绿),适合工具实测/辩论话题,1080×675

Step 2:发布到微博(浏览器自动化)

python <skill_dir>/scripts/publish.py --image "C:\Users\13113\Pictures\weibo_card.png"

前置要求

  • Chrome/Edge 已安装且已安装 Playwright:playwright install chromium
  • 微博账号已登录,发布框(weibo.com/compose)可正常访问

工作原理:截图定位发布框坐标 → 剪贴板粘贴图片 → Ctrl+V → 等待验证 → 输入文字 → 点击发布。

如果坐标偏移,可在 cron job prompt 中用 session_status 确认当天浏览器窗口位置,或手动微调坐标参数。

Step 3:清理临时文件

发布完成后自动执行:

Get-ChildItem "C:\Users\13113\Pictures\weibo_*.png" | Remove-Item -Force
Get-ChildItem "$env:TEMP\openclaw_screenshot_*.png" -EA SilentlyContinue | Remove-Item -Force

内容策略模板

三层话题标签体系

  • 常驻#AI科普# #AI生活观察#
  • 流量#AI时代# #职场# #效率# #日常# #科技#
  • 互动#看法# #battle# #分享#

内容类型(见 references/content_types.md

时间段类型核心目标
8:00早间热点速评抢热搜流量,观点鲜明
11:00AI×生活场景共鸣,语言生活化
14:00身份标签型引发转发,显示读者身份
15:30AI工具实战实操教程,收藏率高
17:00争议辩论型AB投票,评论区battle
21:00深夜互动开放式问题,轻松语气

定时任务配置

用 cron 创建定时任务(见 references/cron_guide.md)。每次发布需指定:

  • 内容类型(从上面表格选)
  • 具体话题(搜索当天热点确定)
  • 配图风格

常见问题

Q: 图片无法粘贴? → 检查剪贴板是否有图片内容;确认微博页面已加载完成。

Q: 坐标点击不准? → 微博页面窗口位置因人而异,首次使用需要手动校准坐标。cron job prompt 中加入"发布前截图确认发布框可见"。

Q: 账号被风控限制? → 微博触发安全机制时页面会跳转提示,需在手机/网页端解除限制后再发布。

脚本说明

  • scripts/make_card.py:生成微博配图,支持4种风格
  • scripts/publish.py:浏览器自动化发布(截图定位 → 粘贴 → 验证 → 发布)
  • scripts/cleanup.py:清理临时图片文件
  • references/content_types.md:各内容类型的写作要点
  • references/cron_guide.md:定时任务配置参考

Comments

Loading comments...