📦 Toutiao Assistant — 头条运营助手
v1.0.0一站式自动化运营今日头条账号:实时追踪热点、AI生成图文与封面、定时自动发布,帮助自媒体和营销团队高效涨粉。
2· 200·0 当前·0 累计
by @cjsmme-hash下载技能包
最后更新
2026/4/1
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill does what its name promises, but it leaves important operational and security details unspecified. Before installing or using it:
- Ask the author for source code or a homepage and for a clear list of required credentials, binaries, and install steps. The package currently declares none while the instructions expect account+password and browser automation.
- Do not paste account passwords into a skill prompt. Prefer OAuth or session-based auth, or confirm where credentials are store...详细分析 ▾
⚠ 用途与能力
The skill claims to manage Toutiao accounts, monitor multi-platform hotspots, generate content, design covers, and auto-publish — these functions are coherent for a social-media ops tool. However, publishing and browser automation legitimately require credentials and automation tooling (e.g., a browser driver), yet the registry metadata declares no required env vars, no required binaries, and no install steps. The missing declared requirements are disproportionate to the stated capabilities.
⚠ 指令范围
SKILL.md instructs agents to scrape/monitor multiple platforms (Weibo/抖音/知乎/头条), collect metrics, and perform browser-based automated publishing using account+password. The instructions do not specify how credentials are obtained/stored, which external APIs/endpoints are used, or limits on data handling. That leaves room for the agent to request or handle sensitive secrets and to perform large-scale scraping or external posting without explicit safeguards.
✓ 安装机制
This is an instruction-only skill with no install spec and no code files required to be written to disk. That minimizes direct install-time risk. (Note: runtime actions like browser automation would still require local tooling, but the skill doesn't declare them.)
⚠ 凭证需求
The SKILL.md explicitly says the user must have a Toutiao account (账号+密码) and needs browser automation, but requires.env and primary credential fields are empty. Requiring account credentials is plausible for publishing, but the skill should declare what secrets it expects, how they are passed/stored, and whether OAuth/session-based auth is supported. Absence of declared credential requirements is an incoherence and increases risk of ad-hoc credential collection.
ℹ 持久化与权限
always is false and the skill is user-invocable; model invocation is enabled (default). Autonomous invocation plus a skill that can publish on a user's behalf increases potential impact, but autonomous invocation alone is a platform default and not sufficient to mark this malicious. Still, because the skill can perform publishing, you should prefer explicit user approval before each publish and consider disabling autonomous invocation if you do not trust the author.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/1
NULL
● Pending
安装命令
点击复制官方npx clawhub@latest install toutiao-ops
镜像加速npx clawhub@latest install toutiao-ops --registry https://cn.longxiaskill.com镜像同步中