Safety Report

weibo-auto-post

Name: weibo-auto-post
Rating: 3 (1 reviews)
Author: apple-sugar-xing

@apple-sugar-xing

微博自动发布 skill。通过 PIL 生成配图（温暖风/科技感/深夜风/对比卡）→ 剪贴板粘贴图片 → 浏览器自动化发布。触发场景：帮我发微博、发布定时微博、生成微博配图、设置微博定时发布任务。

59Downloads

0Installs

1Stars

1Versions

Security Analysis

medium confidence

Suspicious0.08 risk

The skill largely does what its description says (generate images and automate posting), but there are multiple mismatches and unsafe assumptions (Windows-only hardcoded paths, undeclared local file reads/writes, Playwright mention vs pyautogui use, and scripted file deletions) that warrant caution before installing or running automatically.

Apr 17, 20265 files5 concerns

Purpose & Capabilityconcern

Name/description (Weibo auto-post with image generation) matches the included scripts (make_card.py and publish.py). However SKILL.md claims Playwright installation is required while the actual publish.py uses pyautogui/pyperclip and PowerShell; that's an incoherence. The package makes hardcoded Windows-specific path assumptions (C:\Users\13113\..., D:\QClaw_workspace) but the registry metadata declares no OS restriction—this is inconsistent and surprising.

Instruction Scopeconcern

Runtime instructions and the cron payload ask the agent to: search web hot topics, read and write a local execution-record file (D:\QClaw_workspace\weibo_plan_v2.md), manipulate the GUI (screenshot, click, paste), and delete files in specific local directories. The cron guide explicitly instructs reading/writing a local file and using system PowerShell commands—operations outside a minimal posting scope and not declared in metadata.

Install Mechanismnote

No install spec (instruction-only) and no network downloads—lower install risk. But SKILL.md instructs running `playwright install chromium` while code doesn't use Playwright; dependencies (Pillow, pyautogui, pyperclip) are required but not declared. Missing/incorrect dependency guidance is a practical risk (and an incoherence).

Credentialsconcern

The skill declares no required env vars or config paths but the cron guide and scripts assume access to and modification of specific local paths (C:\Users\13113\Pictures, $env:TEMP, D:\QClaw_workspace\weibo_plan_v2.md). It also uses the logged-in browser session (cookies/credentials in the browser). Hardcoded file operations and deletion commands (Remove-Item) are disproportionate and should have been declared or parameterized.

Persistence & Privilegenote

always:false (good). However the skill includes a cron example that would let the agent autonomously perform scheduled posts and modify local files. GUI automation (mouse/keyboard control, screenshots, file deletion) combined with autonomous invocation increases blast radius—exercise caution enabling scheduled/automatic runs.

Guidance

Things to consider before installing or enabling this skill: - Inconsistencies: SKILL.md tells you to install Playwright, but the code uses pyautogui/pyperclip and PowerShell. Confirm and install only the actual dependencies (Pillow, pyautogui, pyperclip) and remove misleading instructions. - Windows-only assumptions: The scripts and cron examples use Windows paths (C:\Users\..., D:\...) and PowerShell commands but the skill metadata does not restrict OS. Don’t run on non-Windows systems; on Windows, inspect and adapt hardcoded paths to your environment. - Local-file access: The cron guide instructs reading/writing D:\QClaw_workspace\weibo_plan_v2.md and the scripts delete C:\Users\13113\Pictures\weibo_*.png and temp screenshots. If that path is not yours, the script may fail or, if modified, could delete files unexpectedly. Require the skill to use configurable paths instead of hardcoded ones. - GUI automation risks: publish.py uses pyautogui to click/type based on screen coordinates and will control your desktop (including taking screenshots). Run initial tests in a controlled environment (virtual machine or an isolated user session) and avoid enabling scheduled autonomous runs until you’ve verified behavior. - Credentials: The skill relies on an already logged-in browser; it does not request explicit credentials. Be aware that it will act using whatever browser session is active (cookies), so revoke or isolate the account if you do not trust automated posting. - Recommended changes before use: (1) Parameterize all local paths and declare them in metadata; (2) remove or fix the Playwright reference; (3) add OS restriction to Windows if intended; (4) replace hardcoded delete commands with safer cleanup that confirms targets and uses configurable directories; (5) avoid automatic scheduling until you have tested manually. If you are not comfortable auditing or running these scripts locally, do not enable scheduled/autonomous execution and consider running the code only in an isolated VM or test account.

Latest Release

v1.0.0

Initial release: Enables fully automated Weibo posting with image generation and browser automation. - Generates post images in four styles (warmth, tech, midnight, contrast) using PIL. - Automates Weibo posting workflow: image creation → clipboard copy → browser submission → cleanup. - Supports scheduled posting and custom content strategies. - Includes troubleshooting tips for image pasting, coordinate calibration, and account security. - Provides scripts for image generation, automated posting, and temporary file cleanup.

Popular Skills

Apple Notes

@apple · 34 stars

Apple Media Remote (for HomePod, Apple TV, etc)

@apple · 5 stars

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Published by @apple-sugar-xing on ClawHub