DEV Community: Haoyang Pang

We ran MiroFish on a real brand campaign. 105 AI agents. 6 minutes. Here's what happened.

Haoyang Pang — Wed, 18 Mar 2026 07:12:10 +0000

MiroFish hit GitHub #1 trending last week (28K stars). Everyone's asking: what can you actually build with it?

We built Campaign Pressure Test™ — a brand safety simulation for marketing teams. Here's a real run on a Singapore fashion brand (Nimisski) launching a spring campaign on Xiaohongshu.

The Problem

Brands spend $50K–$500K on campaigns that flop because no one tested whether the audience would actually respond. Traditional focus groups take 2–4 weeks and cost $15K+. By the time you know it won't work, you've already bought the media.

What We Built on Top of MiroFish

Standard MiroFish takes any seed document and spawns AI agents. We added one proprietary layer: Style Genome™ injection.

Before simulation, we embed a 768-dimensional brand memory vector into the seed document. This makes every agent brand-aware — they know Nimisski's price positioning ($189–449 SGD), aesthetic language (Korean-minimal), and competitive context before the simulation starts.

The result: agents don't just react to "a fashion campaign." They react to this brand's campaign, the way this brand's target consumers would.

Real Results (345 seconds, not simulated)

Brief fed to MiroFish:

"Spring Awakening campaign. Platform: Xiaohongshu. Market: Singapore. Korean-minimal fashion. Target: 25–35 urban women."

Output:

7 posts generated organically by agents
17 comments, 105 total actions
Brand Safety Score: 9.2/10 ✅
Engagement rate: 40% (likes ÷ total actions)

The competitor risk it caught — unprompted:

Agents independently introduced Pomelo with the message "wide range of trendy and affordable options." Zero instructions to mention competitors. The simulation surfaced that Nimisski's $189–449 price range would face organic competitive framing from Pomelo unless campaign copy proactively justified the premium.

That's signal you can't get from a survey.

The Technical Stack

# 9-step MiroFish pipeline
1. ontology/generate    # Build knowledge graph from seed
2. graph/build         # GraphRAG construction
3. graph/task poll     # Wait for graph ready
4. simulation/create   # Initialize sim with agent count
5. simulation/prepare  # Inject Style Genome seed here
6. prepare/status poll # Wait for agents to load
7. simulation/start    # Launch the swarm
8. run-status poll     # Monitor until complete
9. posts + comments + agent_stats  # Extract results

Key gotcha: Use gemini-2.0-flash, NOT gemini-2.5-flash. The thinking tokens in 2.5 cause 500 errors on MiroFish's simulation endpoint.

Brand Safety Score formula:

score = (positive_pct * 5.0) + \
        ((1 - negative_pct) * 3.0) + \
        ((1 - safety_flag_pct) * 2.0) - penalty

Why This Matters Now

MiroFish is still a raw engine — Docker + API key setup, no UI, no reporting. Most devs who clone it give up before getting value.

We wrapped it into a one-command CLI:

python run_pressure_test.py \
  --brief "Your campaign brief here" \
  --platform XHS \
  --industry fashion \
  --market Singapore

6 minutes → HTML/PDF report → Brand Safety Score.

The Competitive Moat

Every US synthetic research platform (Aaru $1B, Simile $100M) uses generic AI personas. None of them have brand memory. Our Style Genome™ vectors are trained on real campaign data from CanMarket's existing client base — Haleon, Starbucks, ByteDance, McCann.

An agent that knows your brand's DNA produces fundamentally different simulation outputs than a generic consumer persona.

Try It

$499/simulation — DM for Stripe link or free demo
Enterprise Monthly Guard: $2,500/month
Free demo for your next campaign: comment below or DM

The Starbucks Harry Potter APAC campaign launches in 5 days. We're running a simulation tonight.

CanMarket is a Brand Operating System. "Run performance marketing without breaking your brand." MWC 2025 Global Runner-up.

Every AI Agent Skills Platform You Need to Know in 2026

Haoyang Pang — Thu, 19 Feb 2026 16:55:47 +0000

In December 2025, Anthropic released the SKILL.md open standard — and OpenAI immediately adopted it for Codex CLI. Within weeks, an entire ecosystem exploded: 96,000+ skills on SkillsMP, 5,700+ on ClawHub, 17,000+ MCP servers on MCP.so.

But here's the problem: finding the right skill feels like drinking from a firehose. Some platforms have great search but terrible security. Others are safe but tiny. And 7% of one major registry literally leaks your API keys.

I spent a week mapping every platform, scanning for security, and testing quality. Here's the complete guide.

The Landscape at a Glance

                    AI Agent Skills Ecosystem (Feb 2026)

    ┌─────────────────────────────────────────────────────────┐
    │                    SKILL.md Standard                     │
    │         (Claude Code / Codex CLI / Gemini CLI)          │
    └──────────────────────┬──────────────────────────────────┘
                           │
         ┌─────────────────┼─────────────────┐
         │                 │                 │
    Claude Code        OpenClaw           MCP Servers
    Skills             Skills             (Universal)
         │                 │                 │
    SkillsMP (96K)    ClawHub (5.7K)    MCP.so (17K)
    SkillHub (7K)     awesome-oc (3K)   mcpservers.org
    awesome-* (many)  LobeHub            LobeHub MCP

Part 1: Claude Code Skills Platforms

Tier S: Official & Verified

Platform	Size	Why Use It
Anthropic Official Skills	Reference	The gold standard. Study these to learn how to write good skills.
awesome-agent-skills	380+	Skills from official dev teams: Anthropic, Vercel, Stripe, Cloudflare, Sentry, HuggingFace, Expo. Start here.

These are the only platforms where you can install without reading the source code first.

Tier A: Large Directories

Platform	Size	Strength	Watch Out
SkillsMP	96,751+	Largest directory. Smart search. Claude/Codex/ChatGPT compatible.	No security audit. Quantity over quality.
SkillHub	7,000+	AI scoring on 5 dimensions (S/A/B/C rank). Multi-platform.	Score doesn't check for security flaws.

Pro tip: On SkillHub, filter by S-Rank only. On SkillsMP, search by keyword then check the GitHub repo before installing.

Tier B: Curated Awesome Lists

Repo	Focus	Notable
travisvn/awesome-claude-skills	Claude Code specific	Well-organized, includes resources and tools
ComposioHQ/awesome-claude-skills	Workflow customization	Good for automation-heavy setups
hesreallyhim/awesome-claude-code	Full ecosystem	Includes Trail of Bits security skills (20+ auditing tools)
sickn33/antigravity-awesome-skills	800+ skills	Antigravity/Cursor compatible
karanb192/awesome-claude-skills	50+ verified	Every skill tested before inclusion

Part 2: OpenClaw Skills Platforms

The Official Registry

ClawHub — 5,705 skills, semantic search, CLI install (openclaw skill install <name>).

As of February 2026, ClawHub now integrates VirusTotal scanning for all new submissions. This was a direct response to the ClawHavoc incident (more on that below).

Community Collections

Platform	Focus
awesome-openclaw-skills	3,002 curated skills. Higher average quality than ClawHub.
BankrBot/openclaw-skills	Crypto/DeFi/trading automation niche
LobeHub OpenClaw	LobeChat ecosystem integration

Part 3: MCP Server Platforms (Works With Everything)

MCP (Model Context Protocol) servers work with Claude Code, OpenClaw, and most AI agents. They're complementary to skills — skills teach behavior, MCP servers provide tool access.

Platform	Size	Best For
MCP.so	17,749	Largest directory. Community-driven.
MCP Market	—	Clean UI, category browsing
mcpservers.org	—	The "awesome list" of MCP
LobeHub MCP	—	If you're in the LobeChat ecosystem
Cline Marketplace	—	One-click install for Cline users
Official MCP Servers	—	Anthropic-maintained. Reference implementations.

Part 4: Security — Read This Before Installing Anything

The Incidents

ClawHavoc (Feb 2026): 341 malicious skills on ClawHub distributed macOS malware. Skills looked legitimate but contained obfuscated download-and-execute payloads.

Snyk ToxicSkills: Scanning the entire ClawHub registry revealed 7.1% of skills (283) leak API keys — hardcoded credentials in source code that get copied into your environment.

The Register investigation: Demonstrated how easy it is to backdoor OpenClaw skills and exfiltrate data through seemingly innocent file operations.

Security Tools

Tool	Type	What It Does
SecureClaw	Open source	55 automated audit checks, maps to OWASP Agentic Top 10 and MITRE ATLAS. Free.
SafeClaw Scanner	SaaS	Pre-install scan for malicious patterns, data exfiltration, excessive permissions.
ClawHub VirusTotal	Built-in	Automatic virus scanning on ClawHub (added Feb 2026).

My Install Checklist

Before installing ANY skill from a non-official source:

[ ] Check the author's GitHub profile (age, other repos, stars)
[ ] Read SKILL.md — does the description match what the code does?
[ ] Search for network calls (fetch, http, curl, requests)
[ ] Search for file system writes outside the project directory
[ ] Search for environment variable reads (process.env, os.environ)
[ ] Run SecureClaw if it's an OpenClaw skill
[ ] Check if the skill asks for permissions it shouldn't need

Part 5: The SKILL.md Standard (Quick Reference)

All platforms now use the same format:

~/.claude/skills/my-skill/SKILL.md    # Claude Code (personal)
.claude/skills/my-skill/SKILL.md      # Claude Code (project)
~/.codex/skills/my-skill/SKILL.md     # Codex CLI

Structure:


name: my-skill          # becomes /my-skill slash command
description: "..."      # used for auto-discovery
license: MIT

# My Skill

Instructions for the agent go here.
Keep under 500 lines / 5,000 tokens.

Compatible with: Claude Code, Codex CLI, Antigravity, Gemini CLI, Cursor, OpenCode.

My Recommendations

If you want safety first

Start with awesome-agent-skills. 380+ skills from Anthropic, Vercel, Stripe, Cloudflare, Sentry, HuggingFace, Trail of Bits. Every skill is from an official dev team.

If you want volume

SkillsMP has 96K+ skills with good search. But always check the source repo before installing.

If you want quality scoring

SkillHub S-Rank skills (9.0+/10) are generally solid. The AI scoring isn't perfect but filters out the worst.

If you're on OpenClaw

ClawHub + SecureClaw. Install SecureClaw first, then use it to audit everything else.

If you need MCP servers

MCP.so for discovery, official repo for reference implementations.

Numbers at a Glance

What	Count
Total Claude Code skills across all platforms	~100,000+
Total OpenClaw skills (ClawHub)	5,705
Total MCP servers (MCP.so)	17,749
Official/verified skills (awesome-agent-skills)	380+
Known malicious skills removed (ClawHavoc)	341
Skills leaking API keys (Snyk scan)	283

The agent skills ecosystem is growing fast — faster than anyone can curate. The SKILL.md standard was the inflection point that unified everything. But with 100K+ skills and counting, the real skill is knowing where to look and what to avoid.

Start small. Start official. Audit everything else.

Built with Claude Code. If you found this useful, follow me for more AI tooling deep dives.

I Open-Sourced Claude Code Skills for Reddit and DEV.to Automation (AppleScript + Chrome)

Haoyang Pang — Mon, 09 Feb 2026 18:19:57 +0000

Every browser automation tool — Playwright, Selenium, Puppeteer — sets navigator.webdriver=true. Reddit detects it instantly. DEV.to's React editor fights back against programmatic input. I needed a different approach.

Turns out macOS has had the answer all along: AppleScript can execute JavaScript inside your real Chrome browser. Same cookies, same fingerprint, same everything. Sites literally cannot tell the difference between you and the script.

I built two Claude Code skill packages around this technique and open-sourced them.

The Skills

1. Reddit Automation (`claude-skill-reddit`)

Two skills in one repo:

reddit-cultivate — Automated karma building

Scans rising posts across target subreddits via /r/{sub}/rising.json
Drafts natural, value-first comments
Posts via Reddit's internal /api/comment endpoint
Outputs a summary table with direct links to every comment

reddit-post — Submit posts to any subreddit

Text posts or link posts via /api/submit
Automatic modhash (CSRF) handling
Flair detection and application
Spam filter avoidance guidelines

2. DEV.to Publishing (`claude-skill-devto`)

devto-post — Publish articles via CSRF API

Bypasses DEV.to's buggy React editor entirely
Uses POST /articles with X-CSRF-Token
Single API call = article published
Handles long articles via temp file + JXA injection

The Core Technique

# Execute JavaScript in Chrome's active tab
osascript -e 'tell application "Google Chrome" to tell active tab of first window to execute javascript "fetch(\"/api/me.json\").then(r=>r.json()).then(d=>{document.title=JSON.stringify(d)})"'

# Read async result back via document.title
sleep 2
osascript -e 'tell application "Google Chrome" to return title of active tab of first window'

The document.title trick is key — since AppleScript can't directly await async JS, we write results to the page title and read it back.

For complex JavaScript (avoiding escaping hell), use JXA:

osascript -l JavaScript -e '
var chrome = Application("Google Chrome");
var tab = chrome.windows[0].activeTab;
tab.execute({javascript: "(" + function() {
    // Any JS here — no escaping needed
    fetch("/api/endpoint", {credentials: "include"})
        .then(r => r.json())
        .then(d => { document.title = JSON.stringify(d); });
} + ")();"});
'

Why Not Just Use the APIs Directly?

Reddit API requires OAuth app registration and gets rate-limited/IP-blocked fast
DEV.to editor has React state bugs (tags concatenate, auto-save drafts persist bad state)
AppleScript + Chrome uses your existing login session — no tokens, no registration, no detection

Install

npx skills add PHY041/claude-skill-reddit
npx skills add PHY041/claude-skill-devto

Or clone directly:

Requirements: macOS + Chrome with "Allow JavaScript from Apple Events" enabled (Chrome → View → Developer → toggle it on, then restart Chrome).

What I Learned Building These

The document.title trick is universal — works for any async operation on any site
JXA > AppleScript for complex JS — no escaping, template literals work
DEV.to's CSRF API is way more reliable than the editor — one POST call vs fighting React state
Reddit's internal API is the same one their frontend uses — same-origin fetch with cookies just works
Chrome multi-profile can break AppleScript — always check count of windows first and fall back to System Events + Console keyboard automation

These skills are the real deal — I use them daily for my own Reddit cultivation and blog publishing. Feedback and PRs welcome!

The Browser Automation Cheat Code Nobody Talks About: AppleScript + Chrome

Haoyang Pang — Mon, 09 Feb 2026 18:02:03 +0000

Part 1: The Problem — Why Every Browser Automation Tool is Broken

The Arms Race

Every major website (Reddit, Twitter, LinkedIn, Facebook, Amazon) has invested millions in detecting automated browsers. They check for:

navigator.webdriver flag (Playwright/Selenium set this to true)
Chrome DevTools Protocol fingerprint
Missing browser plugins (real Chrome has extensions, automated Chrome doesn't)
Canvas/WebGL fingerprinting differences
Mouse movement patterns (or lack thereof)
Request timing patterns (bots are too fast, too regular)
TLS fingerprinting (headless browsers have different TLS signatures)
CDP (Chrome DevTools Protocol) artifacts

Tool-by-Tool Breakdown: Why They All Fail

Selenium

Sets navigator.webdriver = true — instant detection
Different browser fingerprint from real Chrome
Launches a fresh profile every time (no cookies, no history = suspicious)
Detectable through JavaScript: window.chrome.runtime is undefined
Many sites block it outright (Cloudflare, Akamai, PerimeterX)

Playwright

Same navigator.webdriver problem
Uses a patched Chromium, not real Chrome — fingerprint differs
Even with stealth plugins (playwright-extra, puppeteer-extra-plugin-stealth), sophisticated sites detect it
Reddit specifically blocks Playwright — returns 403 "Blocked" on page load
Can't use the user's existing cookies/session without complex injection

Puppeteer

Shares Playwright's problems (both use CDP)
Headless mode has distinct fingerprint vs headed mode
HeadlessChrome in User-Agent is a dead giveaway
Even --headless=new (new headless mode) gets caught by advanced detection

Chrome DevTools Protocol (CDP) Direct

Requires Chrome launched with --remote-debugging-port
Chrome REFUSES to enable debugging on the default profile: "DevTools remote debugging requires a non-default data directory"
Non-default data directory = fresh profile = no cookies = no login
Copying the profile is complex (multi-GB, encryption issues)

curl / HTTP Client Libraries

No browser fingerprint at all — easily identified as a script
No JavaScript execution capability
Reddit rate-limits aggressively (IP block after a few rapid requests)
Can't handle JavaScript-rendered content
Session cookies (HttpOnly) can't be set from outside the browser

Undetected-Chromedriver / Stealth Plugins

Cat-and-mouse game — patches lag behind detection updates
Still launches a separate browser instance
Doesn't have the user's real cookies, extensions, history
Only delays detection, doesn't prevent it
Breaks with every Chrome update

The Core Problem

All these tools share the same fundamental flaw: they create a synthetic browser environment. No matter how good the emulation, it's never identical to a real user's browser. Detection systems don't need to find one smoking gun — they correlate dozens of subtle signals.

Part 2: The Discovery — AppleScript is the Cheat Code

What is AppleScript Chrome Control?

macOS has a built-in automation framework called AppleScript. Chrome (and other apps) expose an AppleScript interface that allows external scripts to:

Navigate tabs to URLs
Execute JavaScript in any tab
Read tab properties (title, URL)
Control windows (open, close, resize)

The critical insight: this JavaScript executes inside the user's actual Chrome process. Not a copy. Not an emulation. The real thing.

Why This is Fundamentally Different

Traditional Automation:
  Script → Launches new browser → Controls it → Website detects fake browser

AppleScript Automation:
  Script → Talks to EXISTING Chrome → Chrome does the work → Website sees real user

The website cannot distinguish AppleScript-triggered JavaScript from user-triggered JavaScript because there is no difference at the browser level. The JavaScript runs in the exact same V8 context, with the exact same cookies, the same extensions, the same fingerprint. Chrome doesn't know or care that the command came from AppleScript instead of a keyboard.

What This Means

Property	The website sees...
Browser fingerprint	The user's real Chrome (with all extensions, plugins)
Cookies	The user's real cookies (including HttpOnly ones!)
TLS fingerprint	Chrome's real TLS stack
navigator.webdriver	`false` (not automation)
Login session	Already authenticated
IP address	The user's real IP (same as their normal browsing)
Canvas/WebGL	Real GPU rendering

There is literally nothing to detect. The request IS from a real browser. Because it IS a real browser.

Part 3: The Full Technical Guide

3.1 One-Time Setup

Enable JavaScript from Apple Events

Chrome menu → View → Developer → Allow JavaScript from Apple Events ✓

Then restart Chrome (Cmd+Q, reopen).

This is a security feature — Chrome requires explicit opt-in before allowing external JavaScript execution. It persists across restarts.

Verify It Works

osascript -e 'tell application "Google Chrome" to tell active tab of first window to execute javascript "document.title"'

Should return the current tab's title. If you get an error about "JavaScript through AppleScript is turned off", restart Chrome.

3.2 Three Core Operations

Everything you can do reduces to three operations:

Operation 1: Navigate

osascript -e '
tell application "Google Chrome"
    tell active tab of first window
        set URL to "https://www.reddit.com"
    end tell
end tell'

Operation 2: Execute JavaScript

osascript -e '
tell application "Google Chrome"
    tell active tab of first window
        execute javascript "1 + 1"
    end tell
end tell'
# Returns: 2

Operation 3: Read Tab Properties

osascript -e '
tell application "Google Chrome"
    return title of active tab of first window
end tell'

3.3 The document.title Trick — Getting Complex Data Out

AppleScript's execute javascript returns the result of the expression. But for async operations (like fetch()), we need a workaround:

Run async JS that writes the result to document.title
Wait for it to complete
Read document.title

# Step 1: Execute async JS, store result in title
osascript -e '
tell application "Google Chrome"
    tell active tab of first window
        execute javascript "fetch(\"/api/me.json\", {credentials: \"include\"}).then(r => r.json()).then(d => { document.title = \"RESULT:\" + JSON.stringify(d) })"
    end tell
end tell'

# Step 2: Wait
sleep 2

# Step 3: Read result
osascript -e '
tell application "Google Chrome"
    return title of active tab of first window
end tell'
# Returns: RESULT:{"data":{"name":"myuser","karma":123,...}}

Why document.title? It's the simplest channel to pass data from the browser JS context back to the shell. The title has a practical limit of a few KB, which is enough for most API responses.

3.4 Making Authenticated API Calls

Since the browser is already logged in, we can use fetch() with credentials: "include" to make API calls that automatically include all cookies — even HttpOnly ones that JavaScript can't read directly.

// This runs inside the logged-in Chrome — cookies are sent automatically
fetch("/api/endpoint.json", {
    credentials: "include"  // This is the magic — sends all cookies
})

For POST requests (posting, commenting, voting), most sites require a CSRF token:

// Step 1: Get CSRF/modhash token
let me = await fetch("/api/me.json", {credentials: "include"}).then(r => r.json());
let csrf = me.data.modhash;  // Reddit calls it "modhash"

// Step 2: POST with the token
await fetch("/api/comment", {
    method: "POST",
    credentials: "include",
    headers: {"Content-Type": "application/x-www-form-urlencoded"},
    body: `thing_id=t3_abc123&text=Hello&uh=${csrf}&api_type=json`
});

3.5 JXA (JavaScript for Automation) — Avoiding Escaping Hell

AppleScript has painful string escaping (nested quotes are a nightmare). JXA is macOS's JavaScript-based alternative that solves this:

osascript -l JavaScript -e '
var chrome = Application("Google Chrome");
var tab = chrome.windows[0].activeTab;
tab.execute({javascript: "(" + function() {
    // Write normal JavaScript here — no escaping needed!
    var data = {hello: "world"};
    document.title = JSON.stringify(data);
} + ")();"});
'

The trick: define a JS function, .toString() it (via + concatenation), and pass that string to execute. This means you write clean JavaScript without worrying about AppleScript string escaping.

3.6 Targeting Specific Tabs

# Active tab of first window (most common)
tell active tab of first window

# Specific tab by index
tell tab 3 of first window

# Specific window
tell active tab of window 2

# Find tab by URL
tell application "Google Chrome"
    repeat with t in tabs of first window
        if URL of t contains "reddit.com" then
            execute javascript "document.title" in t
        end if
    end repeat
end tell

3.7 Opening New Tabs

osascript -e '
tell application "Google Chrome"
    tell first window
        make new tab with properties {URL:"https://www.reddit.com"}
    end tell
end tell'

Part 4: Our Reddit Automation — The Full Story

The Journey (What We Tried)

We needed to automate Reddit posting and commenting. Here's every approach we tried, in order:

Attempt 1: Playwright MCP Browser

Opened a new Playwright browser
Navigated to reddit.com
Result: Reddit returned 403 "Blocked" — detected automation immediately
Even with injected cookies via context.addCookies(), Reddit still blocked the page

Attempt 2: Cookie Injection

User exported all cookies (including HttpOnly) from Cookie Editor extension
Injected 14 cookies into Playwright via context.addCookies()
Navigated to reddit.com
Result: Still 403 "Blocked" — cookie injection doesn't fix the browser fingerprint

Attempt 3: Chrome DevTools MCP

Launched Chrome with --remote-debugging-port=9222
Chrome error: "DevTools remote debugging requires a non-default data directory"
Used --user-data-dir=/tmp/chrome-debug → works but fresh profile, no cookies
Could navigate to Reddit (not blocked!) but couldn't log in
Tried injecting HttpOnly cookies via document.cookie — can't set HttpOnly from JS
Result: Dead end — can't authenticate

Attempt 4: Reddit API via curl

Used token_v2 (JWT from browser cookies) as Bearer token
First call: HTTP 200 — it works!
Second call: HTTP 200 (features only, no user data)
Third call: 403 "Blocked" — IP rate-limited
Result: Token works but IP gets blocked after a few rapid requests

Attempt 5: AppleScript Chrome Control (THE WIN)

Remembered macOS can control Chrome via AppleScript
One prerequisite: enable "Allow JavaScript from Apple Events"
Needed Chrome restart after enabling
First test: execute javascript "document.title" → works!
Navigate to reddit.com → not blocked (it's the real Chrome)
fetch("/api/me.json") → returns user data (already logged in!)
Post comment via fetch("/api/comment") → comment posted successfully
Result: Full automation with zero detection

The Working Pipeline

Step 1: Navigate to reddit.com (if not already there)
    osascript → Chrome → set URL to reddit.com

Step 2: Scan for opportunities
    osascript → Chrome → fetch("/r/SideProject/rising.json")
    → Filter: score > 2, comments < 15

Step 3: Generate comment
    Claude Code / GPT-5.2 → draft value-first comment

Step 4: Human review
    Show comment to user → user approves

Step 5: Get CSRF token (modhash)
    osascript → Chrome → fetch("/api/me.json") → extract modhash

Step 6: Post comment
    osascript → Chrome → fetch("/api/comment", {method: "POST", body: ...})

Step 7: Verify
    Read API response → confirm comment ID and permalink

Actual Commands Used

# Check login status
osascript -e '..execute javascript "fetch(\"/api/me.json\",{credentials:\"include\"}).then(r=>r.json()).then(d=>{document.title=\"USER:\"+JSON.stringify({name:d.data.name,karma:d.data.total_karma})})"'
# → USER:{"name":"BP041","karma":35}

# Scan rising posts
osascript -e '..execute javascript "fetch(\"/r/SideProject/rising.json?limit=5\",{credentials:\"include\"}).then(r=>r.json()).then(d=>{let posts=d.data.children.map(c=>({t:c.data.title.substring(0,60),s:c.data.score,c:c.data.num_comments,id:c.data.name}));document.title=\"POSTS:\"+JSON.stringify(posts)})"'

# Get modhash
osascript -e '..execute javascript "fetch(\"/api/me.json\",{credentials:\"include\"}).then(r=>r.json()).then(d=>{document.title=\"MH:\"+d.data.modhash})"'

# Post comment (using JXA to avoid escaping issues)
osascript -l JavaScript -e '
var chrome = Application("Google Chrome");
var tab = chrome.windows[0].activeTab;
tab.execute({javascript: "(" + function() {
    var body = new URLSearchParams({
        thing_id: "t3_1qzoq6p",
        text: "Your comment here",
        uh: "modhash_here",
        api_type: "json"
    });
    fetch("/api/comment", {
        method: "POST",
        credentials: "include",
        headers: {"Content-Type": "application/x-www-form-urlencoded"},
        body: body.toString()
    }).then(r=>r.json()).then(d=>{document.title="POSTED:"+JSON.stringify(d)});
} + ")();"});
'

Part 5: Beyond Reddit — This Works Everywhere

The Pattern is Universal

Any website that you can use in Chrome, you can automate with this method:

Platform	What you can automate
Reddit	Post, comment, upvote, browse, subscribe
Twitter/X	Tweet, reply, like, retweet, DM
LinkedIn	Post, comment, connect, message
Instagram	Like, comment (web version)
GitHub	Create issues, PRs, review code
Any SaaS	Any action you can do in the browser

The Same Three Steps Apply

Navigate to the site (or verify you're already there)
Execute fetch() calls using credentials: "include"
Read results via document.title

For Sites with Complex SPAs

Some sites (Twitter, LinkedIn) are heavy SPAs where the API isn't as clean as Reddit's. For these, you can also use DOM manipulation:

// Click a button
document.querySelector('[data-testid="tweetButton"]').click()

// Fill an input
document.querySelector('[data-testid="tweetTextarea"]').innerText = "Hello world"

// Trigger React's change event
let el = document.querySelector('input');
let ev = new Event('input', {bubbles: true});
el.value = 'new value';
el.dispatchEvent(ev);

Part 6: Chrome Multi-Profile Bug & The System Events Fallback

The Problem

Chrome on macOS supports multiple user profiles (e.g. "Haoyang", "Work", "Personal"). When a user has multiple profiles, AppleScript's tell application "Google Chrome" can only see windows from ONE profile — and it's not always the one you need.

Symptoms:

osascript -e 'tell application "Google Chrome" to return count of windows'
# Returns: 0
# But the user clearly has Chrome windows open!

The user sees multiple Chrome windows with tabs, logged into various sites. But AppleScript reports 0 windows. This happens because Chrome's AppleScript interface only exposes windows from one profile context.

The Discovery

While tell application "Google Chrome" is blind, System Events can see ALL Chrome windows regardless of profile:

osascript -e '
tell application "System Events"
    tell process "Google Chrome"
        return name of window 1
    end tell
end tell'
# Returns: "Reddit - The heart of the internet - Google Chrome - Haoyang"
# ^^^^ System Events sees it!

The Solution: Console + Clipboard

Since we can't use execute javascript on an invisible-to-AppleScript window, we use a keyboard-based approach:

Copy JavaScript code to clipboard via pbcopy
Open Chrome Console via keyboard shortcut Cmd+Option+J
Select all in console Cmd+A (clear previous)
Paste from clipboard Cmd+V
Execute by pressing Enter
Close console Cmd+Option+J
Read document.title via System Events

Implementation

# Step 1: Copy JS to clipboard (use python3 to avoid shell escaping)
python3 -c "
import subprocess
js = '''(async()=>{
    let r = await fetch('/api/me.json', {credentials: 'include'});
    let d = await r.json();
    document.title = 'USER:' + JSON.stringify({name: d.data.name, karma: d.data.total_karma});
})()'''
subprocess.run(['pbcopy'], input=js.encode(), check=True)
"

# Step 2: Open console, paste, execute, close console
osascript -e '
tell application "System Events"
    tell process "Google Chrome"
        set frontmost to true
        delay 0.3
        -- Open JS console (Cmd+Option+J)
        key code 38 using {command down, option down}
        delay 1
        -- Select all (clear previous code)
        keystroke "a" using {command down}
        delay 0.2
        -- Paste JS from clipboard
        keystroke "v" using {command down}
        delay 0.5
        -- Press Enter to execute
        key code 36
        delay 0.3
        -- Close console
        key code 38 using {command down, option down}
    end tell
end tell'

# Step 3: Wait and read result from window title
sleep 3
osascript -e '
tell application "System Events"
    tell process "Google Chrome"
        return name of window 1
    end tell
end tell'
# Returns: "USER:{"name":"BP041","karma":37} - Google Chrome - Haoyang"

POST Example (Posting a Reddit Comment)

python3 -c "
import subprocess
js = '''(async()=>{
    let me = await fetch('/api/me.json', {credentials: 'include'}).then(r=>r.json());
    let uh = me.data.modhash;
    let body = new URLSearchParams({
        thing_id: 't3_1qzhcyg',
        text: 'Your comment text here',
        uh: uh,
        api_type: 'json'
    });
    let r = await fetch('/api/comment', {
        method: 'POST',
        credentials: 'include',
        headers: {'Content-Type': 'application/x-www-form-urlencoded'},
        body: body.toString()
    });
    let d = await r.json();
    let ok = d.json && d.json.errors.length === 0;
    document.title = 'RESULT:' + (ok ? 'SUCCESS' : 'FAIL:' + JSON.stringify(d.json.errors));
})()'''
subprocess.run(['pbcopy'], input=js.encode(), check=True)
"

osascript -e '
tell application "System Events"
    tell process "Google Chrome"
        set frontmost to true
        delay 0.3
        key code 38 using {command down, option down}
        delay 1
        keystroke "a" using {command down}
        delay 0.2
        keystroke "v" using {command down}
        delay 0.5
        key code 36
        delay 0.3
        key code 38 using {command down, option down}
    end tell
end tell'

sleep 5

osascript -e '
tell application "System Events"
    tell process "Google Chrome"
        return name of window 1
    end tell
end tell'
# Returns: "RESULT:SUCCESS - Google Chrome - Haoyang"

Auto-Detection: Which Method to Use

#!/bin/bash
# Detect if Method 1 or Method 2 is needed
WINDOWS=$(osascript -e 'tell application "Google Chrome" to return count of windows' 2>/dev/null)

if [ "$WINDOWS" != "0" ] && [ -n "$WINDOWS" ]; then
    echo "Method 1: AppleScript execute javascript (direct, fast)"
else
    # Check if System Events can see Chrome windows
    SE_WINDOW=$(osascript -e 'tell application "System Events" to tell process "Google Chrome" to return name of window 1' 2>/dev/null)
    if [ -n "$SE_WINDOW" ]; then
        echo "Method 2: System Events + Console + Clipboard (multi-profile fallback)"
    else
        echo "No Chrome windows found at all"
    fi
fi

Why This Happens

Chrome's AppleScript dictionary (Google Chrome.sdef) exposes windows per-profile. When Chrome starts, it associates AppleScript access with one profile context. Windows from other profiles exist at the macOS level (visible to System Events, Accessibility API, and the user) but are invisible to tell application "Google Chrome".

This is likely a Chrome bug, not a feature. But the System Events fallback is reliable and battle-tested.

Method Comparison

	Method 1: execute javascript	Method 2: System Events + Console
Speed	Fast (~2s per call)	Slower (~5s per call)
Reliability	High (when it works)	High (always works)
Multi-profile	Breaks	Works
Escaping	Painful (use JXA)	Easy (use python3 + pbcopy)
Read results	`title of active tab`	`name of window 1` (includes " - Google Chrome - Profile")
Prerequisites	Allow JS from Apple Events	Allow JS from Apple Events + Console access

Part 7: Limitations and Gotchas

Known Limitations

Limitation	Workaround
macOS only	No workaround — AppleScript is Apple-only
Chrome must be running	Script can launch Chrome: `open -a "Google Chrome"`
Must be logged in already	Log in manually once, session persists
document.title size limit (~few KB)	Chunk large responses, or use multiple calls
Async results need sleep/polling	`sleep 2` between execute and read
AppleScript string escaping is painful	Use JXA (JavaScript for Automation) instead
One command at a time per tab	Use multiple tabs for parallelism

Security Considerations

"Allow JavaScript from Apple Events" means ANY AppleScript can execute JS in your Chrome — be aware of this if you run untrusted scripts
Your browser cookies are used directly — treat this script with the same security as your browser
Don't hardcode sensitive data in scripts — use environment variables

Rate Limiting Best Practices

Wait 2+ seconds between API calls
Don't post more than 5 comments per session
Space out sessions (don't run hourly)
Monitor for 429/403 responses and back off

Part 8: Quick Reference

Cheat Sheet

# Is Chrome running?
pgrep -x "Google Chrome" && echo "Running" || echo "Not running"

# Launch Chrome
open -a "Google Chrome"

# Quit Chrome
osascript -e 'tell application "Google Chrome" to quit'

# Get current URL
osascript -e 'tell application "Google Chrome" to return URL of active tab of first window'

# Get page title
osascript -e 'tell application "Google Chrome" to return title of active tab of first window'

# Navigate
osascript -e 'tell application "Google Chrome" to tell active tab of first window to set URL to "https://example.com"'

# Execute JS (sync)
osascript -e 'tell application "Google Chrome" to tell active tab of first window to execute javascript "1+1"'

# Execute JS (async) — write to title, then read
osascript -e 'tell application "Google Chrome" to tell active tab of first window to execute javascript "fetch(\"/api/data\").then(r=>r.json()).then(d=>{document.title=JSON.stringify(d)})"'
sleep 2
osascript -e 'tell application "Google Chrome" to return title of active tab of first window'

# New tab
osascript -e 'tell application "Google Chrome" to tell first window to make new tab with properties {URL:"https://example.com"}'

# Count tabs
osascript -e 'tell application "Google Chrome" to return count of tabs of first window'

# JXA (for complex JS without escaping pain)
osascript -l JavaScript -e '
var chrome = Application("Google Chrome");
var tab = chrome.windows[0].activeTab;
tab.execute({javascript: "document.title"});
'

The Golden Rule

If you can do it in Chrome DevTools Console, you can automate it with AppleScript. Same context, same cookies, same permissions. The website literally cannot tell the difference.

Discovered on 2026-02-09 while trying to automate Reddit posting. After Playwright, Selenium, Chrome DevTools Protocol, and curl all failed to bypass Reddit's anti-bot detection, AppleScript Chrome control worked on the first try — because it doesn't try to fake a browser. It IS the browser.

Building a Multi-Provider Social Posting API with Automatic Fallback (Open Source)

Haoyang Pang — Wed, 07 Jan 2026 17:46:21 +0000

I built a Python library that handles social media posting across multiple providers with automatic fallback. If one API fails, it seamlessly switches to the backup. Here's why and how.

The Problem

When building a social media scheduling tool, I hit a common pain point: API reliability. Each social posting service has its quirks:

Rate limits
Occasional downtime
Different pricing tiers

Relying on a single provider felt risky. What if they go down right when your scheduled post needs to go out?

The Solution: Multi-Provider Architecture

I created social-posting-api - a unified interface that:

Tries the primary provider first (PostForMe - cheaper, volume-friendly)
Automatically falls back to LATE if the primary fails
Uses a consistent API regardless of which provider succeeds

from social_posting import SocialPostingClient

client = SocialPostingClient()

# Posts via PostForMe, falls back to LATE if needed
result = client.post(
    content="Hello from my multi-provider API!",
    platforms=["linkedin", "instagram"],
    media_urls=["https://example.com/image.jpg"]
)

print(f"Posted via: {result.provider}")  # "PostForMe" or "LATE"

Key Features

Automatic Fallback

# Try each provider with fallback
for provider in self.providers:
    result = provider.post(content, platforms, media_urls)
    if result.success:
        return result
    last_error = result.error

return PostResult(success=False, error=f"All providers failed: {last_error}")

Unified Account Management

# Get connected accounts from any provider
accounts = client.get_accounts()
for account in accounts:
    print(f"{account.platform}: {account.username}")

Media Upload with Presigned URLs

Both providers use presigned URL patterns for secure media uploads:

def upload_media(self, image_url: str) -> Optional[str]:
    # Download image
    img_data = requests.get(image_url).content

    # Get presigned upload URL from provider
    upload_url = self._get_presigned_url()

    # Upload directly to cloud storage
    requests.put(upload_url, data=img_data)

    return hosted_url

Multi-Image Carousel Support

Instagram carousels work seamlessly:

result = client.post(
    content="Check out these photos!",
    platforms=["instagram"],
    media_urls=[
        "https://example.com/photo1.jpg",
        "https://example.com/photo2.jpg",
        "https://example.com/photo3.jpg"
    ]
)

Supported Platforms

Twitter/X
LinkedIn
Instagram (requires media)
Facebook
TikTok
Threads
Bluesky
Pinterest
YouTube

Getting Started

git clone https://github.com/PHY041/social-posting-api
cd social-posting-api
pip install -r requirements.txt

Set your API keys:

# .env
POSTFORME_API_KEY=your_key_here
LATE_API_KEY=your_key_here

Run the test:

python social_posting.py

Why Open Source?

I'm building CanMarket, an AI-powered marketing tool. This social posting module is one piece of the puzzle, and I figured others might find it useful.

If you're building anything that needs reliable social media posting, feel free to use this as a starting point!

DEV Community: Haoyang Pang

We ran MiroFish on a real brand campaign. 105 AI agents. 6 minutes. Here's what happened.

The Problem

What We Built on Top of MiroFish

Real Results (345 seconds, not simulated)

The Technical Stack

Why This Matters Now

The Competitive Moat

Try It

Every AI Agent Skills Platform You Need to Know in 2026

The Landscape at a Glance

Part 1: Claude Code Skills Platforms

Tier S: Official & Verified

Tier A: Large Directories

Tier B: Curated Awesome Lists

Part 2: OpenClaw Skills Platforms

The Official Registry

Community Collections

Part 3: MCP Server Platforms (Works With Everything)

Part 4: Security — Read This Before Installing Anything

The Incidents

Security Tools

My Install Checklist

Part 5: The SKILL.md Standard (Quick Reference)

My Recommendations

If you want safety first

If you want volume

If you want quality scoring

If you're on OpenClaw

If you need MCP servers

Numbers at a Glance

I Open-Sourced Claude Code Skills for Reddit and DEV.to Automation (AppleScript + Chrome)

The Skills

1. Reddit Automation (claude-skill-reddit)

2. DEV.to Publishing (claude-skill-devto)

The Core Technique

Why Not Just Use the APIs Directly?

Install

What I Learned Building These

The Browser Automation Cheat Code Nobody Talks About: AppleScript + Chrome

Part 1: The Problem — Why Every Browser Automation Tool is Broken

The Arms Race

Tool-by-Tool Breakdown: Why They All Fail

Selenium

Playwright

Puppeteer

Chrome DevTools Protocol (CDP) Direct

curl / HTTP Client Libraries

Undetected-Chromedriver / Stealth Plugins

The Core Problem

Part 2: The Discovery — AppleScript is the Cheat Code

What is AppleScript Chrome Control?

Why This is Fundamentally Different

What This Means

Part 3: The Full Technical Guide

3.1 One-Time Setup

Enable JavaScript from Apple Events

Verify It Works

3.2 Three Core Operations

Operation 1: Navigate

Operation 2: Execute JavaScript

Operation 3: Read Tab Properties

3.3 The document.title Trick — Getting Complex Data Out

3.4 Making Authenticated API Calls

3.5 JXA (JavaScript for Automation) — Avoiding Escaping Hell

3.6 Targeting Specific Tabs

3.7 Opening New Tabs

Part 4: Our Reddit Automation — The Full Story

The Journey (What We Tried)

Attempt 1: Playwright MCP Browser

Attempt 2: Cookie Injection

Attempt 3: Chrome DevTools MCP

Attempt 4: Reddit API via curl

Attempt 5: AppleScript Chrome Control (THE WIN)

The Working Pipeline

Actual Commands Used

Part 5: Beyond Reddit — This Works Everywhere

The Pattern is Universal

The Same Three Steps Apply

For Sites with Complex SPAs

1. Reddit Automation (`claude-skill-reddit`)

2. DEV.to Publishing (`claude-skill-devto`)