XHS Publisher
v1.0.0Publish notes (posts) to Xiaohongshu (小红书) via the Creator Platform using browser automation (CDP). Use when user asks to post/publish/发布 content on Xiaohong...
⭐ 0· 541·4 current·4 all-time
by@waao666
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the SKILL.md. The steps (open creator.xiaohongshu.com, upload cover image, fill title/body, click publish) and use of browser CDP (DOM.setFileInputFiles, Input.insertText, dispatchMouseEvent) are directly relevant to publishing notes. No unrelated services, binaries, or credentials are requested.
Instruction Scope
Instructions are specific to web UI automation and include actions that touch local filesystem paths (files for upload) and browser remote-debugging. They do not ask for unrelated system data, but they assume the agent can access image file paths and control a Chromium instance via CDP. The SKILL.md also suggests taking DOM snapshots and checking the UI for avatars—expected for this purpose.
Install Mechanism
No install spec or third-party downloads — instruction-only. This minimizes supply-chain risk; the skill will not write code to disk or fetch external archives as part of installation.
Credentials
The skill requires no environment variables or credentials, which is proportionate. However, it does implicitly require access to (a) a Chromium instance started with --remote-debugging-port and (b) local image files referenced by absolute paths. Ensure you only expose the intended files/paths and the debugging port to trusted components.
Persistence & Privilege
always is false. The skill does not request persistent/global privileges or modify other skills. It can be invoked autonomously (platform default), which is normal; combined with its lack of credential requests this is not a high privilege footprint.
Assessment
This skill appears to do exactly what it says: automate posting to Xiaohongshu via a browser CDP. Before installing or using it: (1) Confirm you are comfortable granting the agent access to the local Chromium instance (remote debugging port) and any image file paths you provide — this lets the agent read those files and control the browser. (2) Test with a throwaway or test account first so accidental posts don't hit your main account. (3) Verify every post before publishing (the skill automates clicks and coordinate-based interactions). (4) If your platform exposes a filesystem sandbox or file-picking API, prefer giving access only to specific images rather than unrestricted filesystem access. (5) If you need stronger assurance, ask the skill author for an implementation that uses an explicit file-pick flow or an API with scoped tokens so you can audit exactly which files and actions are used.Like a lobster shell, security has layers — review code before you run it.
latest
Xiaohongshu Publisher
Automate publishing notes to Xiaohongshu (小红书) via the Creator Platform (creator.xiaohongshu.com) using browser CDP.
Prerequisites
- Browser with CDP access (Chromium with
--remote-debugging-port) - User must be already logged in to Xiaohongshu (manual QR scan login required — automation is blocked by anti-bot detection)
- Chinese font installed (e.g.,
DroidSansFallbackFull.ttf) for cover image generation
Workflow
1. Verify Login Status
browser open → https://creator.xiaohongshu.com
browser snapshot → check if logged in (look for user avatar/name)
If not logged in, ask user to scan QR code manually. Phone number login is blocked by anti-automation detection.
2. Navigate to Publish Page
browser open → https://creator.xiaohongshu.com/publish/publish
Wait for the editor to load. Look for the upload area and editor elements.
3. Upload Cover Image
Upload image via CDP DOM.setFileInputFiles:
// Find the file input element
const fileInput = document.querySelector('input[type="file"]');
// Use CDP to set file
DOM.setFileInputFiles({ files: ['/path/to/image.jpg'], objectId: ... })
⚠️ Cover Image Text Rendering: On systems without full CJK fonts, Chinese text in generated images may show as squares (□). Solutions:
- Use
DroidSansFallbackFull.ttffor Chinese characters - Use a mixed font approach: CJK font for Chinese + DejaVu/system font for ASCII
- Always verify the image before uploading
4. Input Title
Use CDP Input.insertText for reliable Chinese text input (avoids encoding issues):
// Click title input field first
// Then use CDP:
Input.insertText({ text: "你的标题" })
Title limit: 20 characters max.
5. Input Body Content
Target the ProseMirror editor:
// Selector: .tiptap.ProseMirror (contenteditable div)
// Click to focus, then use Input.insertText
Supports basic formatting. For hashtags, type #话题 and select from dropdown.
6. Publish
Click the publish button. Use coordinate-based click (Input.dispatchMouseEvent) if selector-based click fails:
Input.dispatchMouseEvent({ type: 'mousePressed', x: X, y: Y, button: 'left', clickCount: 1 })
Input.dispatchMouseEvent({ type: 'mouseReleased', x: X, y: Y, button: 'left', clickCount: 1 })
7. Verify Publication
After publishing, check for:
- Success: redirect to content management page
- Failure:
error_code=300031means content was taken down (usually image issues)
Key Technical Details
- Tab switching:
.creator-tab:not(.active)CSS selector for switching between image/video modes - Anti-automation: Xiaohongshu has aggressive bot detection. Avoid rapid automated actions. Add delays between steps.
- Content moderation: Posts may be auto-reviewed and taken down. Check content management page for status.
- Image requirements: Recommended ratio 3:4, minimum 960x1280px for best display
Troubleshooting
| Problem | Solution |
|---|---|
| Login blocked | Use QR code scan (manual), not phone number |
| Chinese text shows □ in images | Use DroidSansFallbackFull.ttf font |
| Post taken down (300031) | Check cover image for rendering issues |
| Title input garbled | Use Input.insertText CDP method |
| Publish button unresponsive | Use coordinate-based mouse events |
| Cannot delete posts via API | Use web UI manually; API returns 404 |
Reference: User Profile Access
To fetch user profile info:
browser open → https://www.xiaohongshu.com/user/profile/{userId}
browser snapshot → extract follower count, note count, etc.
Comments
Loading comments...