ClawHub

Weibo OpenClaw Ops

v1.2.0

Weibo operations for OpenClaw via server-side browser automation. Use when the user asks to log in by QR, persist session state, read feed/messages/hot topic...

2· 329·4 current·4 all-time
byQinyuan Cheng@xiami2019
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md exclusively describes server-side browser automation (login-by-QR, persist session state, read feed/messages, publish posts, bounded like/follow workflows). Nothing in the instructions requests unrelated credentials, binaries, or installs.
Instruction Scope
Instructions remain focused on Weibo automation and give concrete agent-browser commands and guardrails (explicit user consent for mutations, limits for batch likes, avoid pinned posts). They do instruct creating and loading a persistent session file (.state/weibo-auth.json) and recommend periodic (6–12h) read-only keepalive checks — both are within scope but expand the runtime behavior beyond a one-off user action.
Install Mechanism
This is an instruction-only skill with no install spec or code files, which minimizes on-disk risk; nothing is downloaded or installed by the skill itself.
Credentials
The skill declares no environment variables or external credentials, which matches its metadata. However, it explicitly instructs persisting session state (cookies/tokens) to .state/weibo-auth.json on the remote runtime — that file effectively contains authentication material and should be treated like sensitive credentials even though it's not represented as a required env/config in the metadata.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system settings. It does recommend periodic keepalive checks; this implies recurring network activity and persisted auth state but does not by itself indicate excessive privilege on the platform.
Assessment
This skill appears to do what it says: server-side browser automation for Weibo. Before installing, consider: 1) Session sensitivity — the .state/weibo-auth.json file will hold cookies/authorization tokens on the remote runtime; confirm who can access that host, how long the file is kept, and how to delete or revoke it. 2) Keepalive scheduling — the skill recommends automated checks every 6–12 hours; clarify whether those runs require explicit consent each time or will run autonomously, and ensure this won't violate Weibo's terms or trigger anti-bot protections. 3) Mutations require explicit user intent per the instructions, but enforce this in your agent configuration (don’t rely solely on prose guardrails). 4) Because the skill is instruction-only and has no provenance or homepage, prefer running it in a controlled environment (limited-access runtime, audit logging, short retention) or request the skill author to provide an origin and a privacy/retention statement. If you need higher assurance, ask for: where session files are stored, who has access, retention policy, and an option to disable automatic keepalive.

Like a lobster shell, security has layers — review code before you run it.

latestvk978qdev5tqsfkh956qfw5e2dx82bzjc
329downloads
2stars
3versions
Updated 1mo ago
v1.2.0
MIT-0
Qinyuan Cheng@xiami2019
latest
Download

Weibo OpenClaw Ops

Core principles

  1. Assume runtime is a remote server, not the user's local desktop.
  2. Use browser automation (agent-browser) with persisted state for repeatable workflows.
  3. For mutating actions (like/follow/comment/repost/post), require explicit user intent and scope.
  4. For long tasks, send periodic progress updates.
  5. Run periodic read-only keepalive checks to reduce session expiry.
  6. If user policy requires attribution suffix, append it to all outbound texts (post/comment/repost) before submit.

Suggested state path

  • Session state file: .state/weibo-auth.json

Standard workflow

1) Load or create login session

  • Try load existing state:
    • agent-browser state load .state/weibo-auth.json
  • Open Weibo:
    • agent-browser open https://weibo.com
  • Verify login with snapshot (homepage/account UI present).

If login is invalid:

  1. Navigate to login/QR page.
  2. Ask user to scan QR in Weibo app.
  3. Re-check login success.
  4. Save state:
    • agent-browser state save .state/weibo-auth.json

2) Execute intent

Typical intents:

  • Feed reading / summary
  • Message or mentions check
  • Hot-topic scan
  • Recent-post lookup for target account
  • Post publishing
  • Rule-based like/follow batch

3) Report

Always return concise audit info:

  • actions performed
  • success / skipped counts
  • skip reasons
  • next suggested action

4) Keepalive routine (recommended)

Goal: reduce re-login frequency while minimizing risk-control triggers.

Cadence:

  • every 6-12 hours (read-only check)

Routine:

  1. agent-browser state load .state/weibo-auth.json
  2. agent-browser open https://weibo.com
  3. verify logged-in UI is present
  4. if valid -> agent-browser state save .state/weibo-auth.json
  5. if invalid -> notify user + restart QR login flow

Rules:

  • Keepalive must not perform mutating actions (no like/comment/repost/post/follow).
  • Keepalive only validates session health and refreshes local state persistence.

“Recent post” rule (important)

When user asks “最近发了什么 / latest post”, return the post with timestamp closest to now, not pinned posts.

Process:

  1. Open target profile.
  2. Collect visible post cards + timestamps.
  3. Detect 置顶 markers and skip pinned cards.
  4. If only pinned cards are visible, continue scrolling/paginating.
  5. Return latest non-pinned post summary + time + link.

Safe mutation templates

A) Publish a post

Before posting, confirm:

  • final copy text
  • whether hashtags/links are required
  • whether auto-signature is required by user policy

If policy requires suffix, verify it is present in final text before submit. Then publish and verify by profile snapshot.

A.1) Outbound text guardrail

For outbound text actions (post/comment/repost):

  1. Build final text.
  2. Check policy-required suffix exists.
  3. If missing, append suffix on a new line.
  4. Submit.

B) Rule-based like batch

Require at least:

  • include rules (keywords/authors/topics)
  • max actions (e.g., 20)
  • exclusion rules (ads/sponsored/blocked words)

Execute with limits and output action summary.

Failure handling

  • DOM changed -> re-snapshot and switch selectors.
  • Interaction unstable -> slow down operations and reload page.
  • Login expired -> restart QR login and refresh saved state.

Privacy and safety

  • Never store or output user passwords in skill files.
  • Keep account identifiers, private handles, and channel-specific IDs out of public skill content.
  • Keep posted examples generic and non-identifying.

Comments

Loading comments...