ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

xhs-auto-content-by-hot

v1.0.0

自动获取百度热搜话题,生成小红书文案并调用Seedream-4.5生成封面及配图,输出完整内容包。

0· 302·0 current·0 all-time
by@18923236683

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for 18923236683/xhs-auto-content-by-hot.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "xhs-auto-content-by-hot" (18923236683/xhs-auto-content-by-hot) from ClawHub.
Skill page: https://clawhub.ai/18923236683/xhs-auto-content-by-hot
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install xhs-auto-content-by-hot

ClawHub CLI

Package manager switcher

npx clawhub@latest install xhs-auto-content-by-hot
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and instructions match the stated purpose: fetching Baidu hot topics, generating Xiaohongshu copy, and calling a Seedream (火山引擎) image-generation endpoint. However, the SKILL.md does not declare the API key requirement as an environment variable or credential even though the script requires an API_KEY; instead it instructs the user to write the key into scripts/generate.py. That mismatch and the recommendation to embed a secret in source is disproportionate and unusual.
!
Instruction Scope
SKILL.md directs the agent/user to ask for the ByteDance/Seedream API key and store it inside generate.py. That expands scope to collecting and persisting a sensitive secret into code. The script performs network requests (to Baidu and the Volcengine endpoint) and writes files into /root/.openclaw/workspace by default; these actions are coherent with the feature but the instructions enable secret persistence in code and assume write access to /root, which is risky and not least-privilege.
Install Mechanism
No install spec (instruction-only + included script). Nothing is downloaded at install time and no external archive or unknown URLs are used by the installer. Execution requires Python and the requests library (not declared), which is a modest expectation.
!
Credentials
The skill requires a Seedream/ByteDance API key to function, but this is not declared in requires.env or primary credential fields; instead the SKILL.md instructs the user to paste the API key into the script. Asking to store a secret in source is disproportionate and dangerous. The script otherwise requests network access to Baidu and the Volcengine API only (no unrelated cloud creds), so the scope of credentials is small but handled insecurely.
Persistence & Privilege
always:false and user-invocable:true (defaults) — no elevated persistent privilege requested. The skill writes output files to a workspace directory (default /root/.openclaw/workspace) and stores generated artifacts, which is expected behavior for a content generation tool and does not modify other skills or system-wide settings.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contained unicode control characters flagged by the scanner. This is not necessary for the skill's stated purpose and can be used for prompt-injection or to obfuscate instructions; the presence is suspicious and should be removed or explained by the author.
What to consider before installing
This skill appears to implement the advertised workflow, but it asks you to paste your Seedream/ByteDance API key directly into scripts/generate.py — do NOT store secrets in source. Before installing or running: (1) inspect and, if needed, modify generate.py so it reads the API key from an environment variable or a protected config file instead of embedding it; (2) verify the Seedream API endpoint (ark.cn-beijing.volces.com) is the legitimate service you expect; (3) run the script in an isolated environment (container or VM) because it writes files under /root/.openclaw/workspace and makes outbound HTTP requests; (4) remove or ask the author to explain the unicode control characters in SKILL.md; (5) ensure Python and the requests package are present and consider reviewing/downloaded image URLs before following them. If you cannot confirm the endpoint or the control-characters explanation, treat this skill as risky and avoid providing high-privilege or reusable secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk972nn558h0v6yfr39efyw733582n3yp
302downloads
0stars
1versions
Updated 13h ago
v1.0.0
MIT-0
@18923236683
latest
Download

name: XHS-AutoContentByHot version: 1.0.0 description: 全自动生成小红书内容:获取百度热门话题 → 生成文案 → Seedream-4.5生图 → 输出图片+文案 author: Matianle

小红书内容生成 Skill

全自动4步流程,一键生成完整小红书内容!

功能

  1. 获取百度热搜TOP10,随机选择一个话题
  2. 根据话题生成小红书文案(标题15字以内 + 正文50-200字)
  3. 调用火山引擎Seedream-4.5生成3张配图(第1张为封面图)
  4. 输出所有图片 + 完整文案

使用方法

配置

  • 先询问使用者的字节跳动生图模型的 API Key 是什么,得到回复后,把它存入 generate.py 的 API_KEY 里面备用
  • 如果没有 API Key 或者 API Key 错误,则提示“生图失败,没有正确的 API Key,无法调用生图模型”

基础用法(自动从百度热搜选择话题)

python3 {baseDir}/scripts/generate.py

高级用法(自定义话题)

python3 {baseDir}/scripts/generate.py --topic "你的自定义话题"

更多选项

python3 {baseDir}/scripts/generate.py --topic "自定义话题" --images 5 --output-dir ./output

参数说明

  • --topic: (可选) 自定义话题,不指定则从百度热搜 TOP1-10 随机选择
  • --images: (可选) 生成图片数量,默认 3 张
  • --output-dir: (可选) 输出目录,默认 /root/.openclaw/workspace

输出

  • 图片:xhs_final_1.pngxhs_final_2.pngxhs_final_3.png
  • 文案:xhs_content.json
  • 话题:selected_topic.txt
  • 图片列表:generated_images.json

注意事项

  • 第1张图片提示词会自动添加"用来发布小红书的封面配图,要有网感与设计感"
  • 第2、3张图片不添加封面关键词,提示词完全不同
  • 所有图片尺寸为 2048x2048

Comments

Loading comments...