xiaohongshu-skill

What to check before installing/using this skill: - Understand persistence: the tool creates ~/.xhs (Chrome profiles, accounts.json) and temporary session files; logged-in cookies and profiles are stored locally and grant ongoing access to your logged-in Xiaohongshu sessions. If you don't want persistent credentials on your machine, do not use it or run it in an isolated container or VM. - Inspect the SKILL.md and code you received (especially any non-ASCII/control characters). The scanner found unicode-control-chars in SKILL.md — open the file in a hex-capable editor to ensure there are no invisible manipulative characters. - Confirm provenance: source is listed as a GitHub repo; verify that the repo owner and releases are legitimate (check commit history, stars, issues). Prefer installing from an official GitHub release rather than a zip from an unknown mirror. - Run in an isolated environment for first use: a disposable VM, container, or dedicated user account will limit impact if something unexpected happens. After installation, inspect files created under ~/.xhs and temp directories. - Review optional env vars and network behavior: CHROME_BIN, XHS_PROXY can change runtime behavior (proxy routing). If you see unexpected proxy settings, do not proceed. The tool opens Chrome with remote-debugging; ensure your machine/network policies allow this. - Check and limit automation scope: the SKILL.md mandates using only this project's CLI — that is not malicious by itself, but be cautious when granting agents autonomous invocation; verify the agent only runs expected CLI commands and requires explicit user confirmation for publish/comment actions. If you want, I can (a) point out exactly which files persist sensitive data and where, (b) extract and show any non-printable characters from SKILL.md, or (c) suggest a minimal containment/run strategy (docker commands) for testing safely.