Skillv0.1.0

ClawScan security

小红书 AI 副业指南 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 3:02 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to provide a runnable generator tool, but the package only contains templates and documentation (no executable), and it references external APIs and tools without declaring credentials — this mismatch suggests the package is incomplete or inconsistently packaged and warrants caution before use.
Guidance: This package appears to be templates and documentation rather than a runnable tool. Before installing or executing anything: 1) Verify whether a trustworthy xiaohongshu-gen script is actually provided by the author; do not run executables you didn't inspect. 2) If you plan to add automation (publish via API or use OpenClaw/Midjourney), expect to supply API keys — inspect any script for network calls or credential-handling code and only provide keys to code you trust. 3) If someone hands you a binary/script to match the README, review its source or run it in an isolated environment first. 4) Be aware that generated “earnings” claims are content strategy suggestions, not verified results. If you want a final judgment change, provide the actual xiaohongshu-gen script or any installation script for review.

Review Dimensions

Purpose & Capability: concernThe name/description promise a CLI/script 'xiaohongshu-gen' that generates Xiaohongshu notes, but the archive does not include any executable/script file. The SKILL.md and README reference a main script and integrations (OpenClaw, 小红书 API) yet the package only contains templates and prompts. Expectation mismatch: a runnable generator would normally include the script or clear install instructions.
Instruction Scope: concernRuntime instructions are limited to generating text and cover prompts and copying output to the app (which is low-risk). However the instructions repeatedly show CLI usage for a script that is not present. The documentation mentions integrations (OpenClaw, 小红书 API, Midjourney/DALL·E) but provides no automation steps or credential guidance — ambiguous scope that could change if an implementation is added.
Install Mechanism: noteThere is no install spec (instruction-only), which is low-risk. However the file tree claims a main script (xiaohongshu-gen) that is missing; if you later obtain/execute such a script from another source, that would change the risk profile significantly.
Credentials: noteThe skill declares no required environment variables or credentials, yet examples and templates mention using the 小红书 API, OpenClaw, and image services. If you attempt to automate publishing or image generation, those integrations would require API keys/credentials that are not documented here — a potential surprise if added later.
Persistence & Privilege: okThe skill does not request persistent/always-on privileges and is user-invocable. As packaged, it is instruction-only and does not attempt to modify other skills or system settings.