小红书评论分析
PassAudited by ClawScan on May 8, 2026.
Overview
This instruction-only skill is coherent and clearly discloses that it sends Xiaohongshu note links and an ai-skills.ai API key to a third-party analysis service.
This skill appears benign and purpose-aligned. Before installing, confirm you trust ai-skills.ai, use a revocable API key with limited exposure, avoid sending private or sensitive Xiaohongshu links, and consider adding a timeout if you run the provided polling script.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The API key may allow use of the user's ai-skills.ai quota or paid service access.
The skill requires an ai-skills.ai API key and explicitly sends it to the same third-party service for authenticated task creation and status polling.
requiredEnvVars:\n - name: AISKILLS_API_KEY\n description: "从 https://ai-skills.ai 获取的 API Key。Step 2/3 接口调用时会将 API Key 发送至 ai-skills.ai 服务器。"
Use a dedicated, revocable API key, monitor usage, and revoke it if unexpected activity appears.
The third-party service will learn the Xiaohongshu note link or content ID being analyzed and will receive the API key for authenticated requests.
The skill discloses a third-party provider boundary and lists the data sent, including note links/parameters and the API key.
security:\n thirdPartyDomain: ai-skills.ai\n dataSent:\n - "skillId(技能标识符)"\n - "params(技能参数,含用户提供的笔记链接,Step 2/3 需认证)"\n - "X-API-Key(认证密钥,仅 Step 2/3 发送)"
Only analyze links you are comfortable sharing with ai-skills.ai, and review that provider's privacy and retention policies before use.
If the remote task never completes or returns an unexpected status, the script could keep running and making repeated API requests.
The example one-click script polls indefinitely until the task reports completed, without a timeout or error-exit condition.
while true; do\n STATUS=$(curl -s https://ai-skills.ai/api/comment-analysis/tasks/$TASK_ID \\\n -H "X-API-Key: $AISKILLS_API_KEY" ... )\n [ "$STATUS" = "completed" ] && break\n sleep 3\ndone
Run the workflow only when requested by the user and add a maximum retry count or timeout before using the script.