ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Social Publisher

v1.0.0

One-click publishing to Juejin, Zhihu, Weibo, and Xiaohongshu with scheduling, format adaptation, and publishing logs using platform cookies.

0· 179·0 current·0 all-time
by@yang1002378395-cmyk

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yang1002378395-cmyk/zh-social-publisher.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Social Publisher" (yang1002378395-cmyk/zh-social-publisher) from ClawHub.
Skill page: https://clawhub.ai/yang1002378395-cmyk/zh-social-publisher
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install zh-social-publisher

ClawHub CLI

Package manager switcher

npx clawhub@latest install zh-social-publisher
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims support for Juejin, Zhihu, Weibo, and Xiaohongshu in the description, but the bundled code (scripts/social_publisher.py) only implements juejin, zhihu, and weibo. package.json and SKILL.md refer to repository/hosting on an unfamiliar domain; no homepage is provided. These inconsistencies suggest the metadata and code are not fully aligned.
!
Instruction Scope
SKILL.md tells the user to put platform cookies in ~/.openclaw/workspace/config/social-publisher.json, but the script loads config relative to the skill bundle (CONFIG_FILE = W / 'config/social-publisher.json' where W = two levels up from the script). That mismatch means cookies placed as instructed may not be found, and cookies might instead be stored alongside the skill bundle. SKILL.md also references Xiaohongshu support and a note about captchas, but there's no Xiaohongshu code. The runtime instructions otherwise are limited to posting content and logging; there are no other surprising file reads or external endpoints beyond the platform APIs.
Install Mechanism
No install spec is included (instruction-only install). The bundle contains a Python script and package.json but nothing is downloaded at runtime. This is lower risk than an installer that fetches arbitrary code from the internet.
Credentials
The skill does not request environment variables, but it requires platform cookies (sensitive credentials) stored in a JSON config file. Storing cookies unencrypted in a filesystem path adjacent to the skill (memory/ and config/ under the bundle) may expose credentials to other local users or backups. Asking for cookies is proportional to the stated publishing purpose, but the SKILL.md/code path mismatch and lack of guidance on secure storage are concerning.
Persistence & Privilege
always is false and the skill only reads/writes its own config and log files (config/social-publisher.json and memory/social-publish-log.jsonl relative to the bundle). It does not request elevated privileges or modify other skills. Autonomous invocation is allowed by default but not itself flagged.
What to consider before installing
This skill is not outright malicious, but there are inconsistencies and privacy risks you should weigh before installing: - Do not supply real account cookies until you trust the author. Test with throwaway accounts first. - SKILL.md tells you to put cookies in ~/.openclaw/workspace/config/social-publisher.json, but the script actually reads config/social-publisher.json relative to the skill bundle. Confirm where cookies will be stored and avoid leaving them in a repository or world-readable folder. - The description mentions Xiaohongshu but the script does not implement it — expect incomplete functionality. - Logs are written to memory/social-publish-log.jsonl in the bundle; these may contain publish results and should be protected. - Prefer encrypted/OS-protected credential storage over plaintext cookies in files; if you proceed, review scripts/social_publisher.py yourself (or have someone you trust do so) to verify there are no hidden endpoints or extra network calls. If you cannot verify the code or do not want to risk exposing cookies, do not install or only use test accounts. If you decide to use it, ask the author to fix the config path mismatch, remove/clarify the payment/marketing text, and either implement Xiaohongshu or remove it from the description.

Like a lobster shell, security has layers — review code before you run it.

automationvk97ftjfpn27gpm05jtk7jk5ykh8396nvchinesevk97ftjfpn27gpm05jtk7jk5ykh8396nvlatestvk97ftjfpn27gpm05jtk7jk5ykh8396nvpublishvk97ftjfpn27gpm05jtk7jk5ykh8396nvsocialvk97ftjfpn27gpm05jtk7jk5ykh8396nv
179downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
@yang1002378395-cmyk
automationchineselatestpublishsocial
Download

SKILL.md - 社交媒体一键发布助手

描述

一键发布内容到多个社交媒体平台(掘金/知乎/微博/小红书),支持定时发布和格式适配。

功能

  • 多平台发布:掘金、知乎、微博、小红书
  • 格式适配:自动适配各平台字数限制和格式要求
  • 定时发布:设置发布时间,自动执行
  • 发布日志:记录发布链接和状态

使用方法

# 安装
claw install social-publisher

# 发布到所有平台
claw run social-publisher --content "文章内容" --title "标题"

# 发布到指定平台
claw run social-publisher --platform juejin --content "文章内容"

# 定时发布
claw run social-publisher --content "文章内容" --schedule "2026-03-21 10:00"

配置

需要在 ~/.openclaw/workspace/config/social-publisher.json 配置各平台 Cookie:

{
  "juejin": {
    "cookie": "your-juejin-cookie"
  },
  "zhihu": {
    "cookie": "your-zhihu-cookie"
  },
  "weibo": {
    "cookie": "your-weibo-cookie"
  }
}

注意事项

  • Cookie 有效期约 1 年,过期需重新登录获取
  • 小红书需要人工验证码,无法完全自动化
  • 建议先用测试账号验证发布功能

价格

免费(引流到安装服务 ¥99)

作者

yang1002378395

Comments

Loading comments...