ClawHub

XHS-Ops: Xiaohongshu Operations Toolkit

v1.0.0

Xiaohongshu (小红书) end-to-end operations skill: hot topic research, post writing with built-in audit, automated commenting with rate limiting, and cover image...

2· 487·2 current·3 all-time
by@cmhoennexy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Xiaohongshu ops: trending search, write/audit, comment, cover) align with code and SKILL.md. Scripts call a local MCP service and use Playwright for screenshots, which are reasonable for the declared features.
Instruction Scope
SKILL.md and scripts limit actions to searching feeds, generating prompts/audits, posting comments via the local MCP, and rendering covers. Data written is mostly /tmp/xhs-search-results.json and optional ~/covers; comment posting requires per-feed xsec_token obtained from search results. The skill enforces a sensitive-word blacklist and comment rate limits in code.
Install Mechanism
No formal install spec in registry (instruction-only), but scripts/setup.sh instructs installing Python deps and Playwright and suggests downloading xiaohongshu-mcp from a GitHub releases URL. Downloading/executing a third‑party binary is expected for this skill but carries normal risks—verify the release and platform binary before running.
Credentials
The skill requests no environment variables, credentials, or config paths in the registry metadata. Runtime requires a locally running MCP service and the user's login for that binary (external to the skill). There are no unexpected credential requests in code or SKILL.md.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges or modify other skills. It runs as user-invoked tools and relies on a local service; autonomous invocation is allowed by default but not exceptional here.
Assessment
This skill appears coherent and implements the features it advertises, but a few practical cautions: 1) setup.sh suggests downloading and running a platform-specific xiaohongshu-mcp binary from GitHub releases — treat any third‑party binary as sensitive: verify the upstream repo, checksum, and platform build before executing, or run it in an isolated VM/container. 2) Playwright will download browser binaries during install; that is expected for cover generation. 3) Automated commenting interacts with your Xiaohongshu account via the MCP service — ensure you control the account/login used, understand posting limits and platform rules (automated comments can risk rate limits or account action). 4) The scripts save search results to /tmp/xhs-search-results.json and read config.json in the skill folder; review and edit config.json before running. If you want higher assurance, inspect the included Python files locally and run the MCP binary in an isolated environment before connecting it to any real account.

Like a lobster shell, security has layers — review code before you run it.

latestvk975m98zzmybm190p1svey1195831pqe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments