ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

小红书竞品监控助手

v1.0.1

小红书竞品监控 - 自动采集竞品笔记,推送飞书通知,写入数据看板

0· 265·1 current·1 all-time
byRoy@cstdr
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code (scrapers, parser, dedupe, Feishu notifier) is consistent with the skill description. However the metadata/requirements are incomplete: SKILL.md/metadata only declare installing puppeteer-core and require PATH, while the code uses puppeteer-extra, puppeteer-extra-plugin-stealth and expects CHROMIUM_PATH/XHS_DATA_DIR/DEBUG_PORT environment variables. That discrepancy means the declared requirements do not fully reflect what the skill actually needs to run.
!
Instruction Scope
Instructions and scripts tell the agent to launch Chrome with remote debugging, keep the browser user-data-dir open, run node main.js, and write history/data files locally. The skill does not try to read unrelated system files, nor does it contain hidden remote endpoints, but exposing Chrome's remote debugging port and keeping browser session data on disk are operational risks (possible remote control of the browser if the debug port is reachable, long-lived session data stored locally).
!
Install Mechanism
The skill is instruction-only (no automated install), and SKILL.md suggests npm install puppeteer-core. The runtime code also requires puppeteer-extra and stealth plugin, but those are not declared in the install metadata. There are no downloads from arbitrary URLs, which is good, but the declared install list is incomplete and may leave missing dependencies if followed exactly.
!
Credentials
Declared required env vars only list PATH, but the code/instructions rely on CHROMIUM_PATH, XHS_DATA_DIR, and DEBUG_PORT. notify.example.js references Feishu (Lark) tokens and BITABLE_CONFIG (app_token/table_id) — these are optional but, if provided, would permit external notification and data upload. No primary credential is defined in metadata; adding Feishu credentials would grant external network access for notifications. The skill asks for persistent local storage (data/history.csv, user-data-dir) which may contain session/auth artifacts.
Persistence & Privilege
always: false and the skill is user-invocable; it does not demand forced always-on inclusion. It can run as a daemon/scheduler and writes its own data under the project data directory, but it doesn't modify other skills or system-wide agent settings. This is expected for a monitoring tool.
What to consider before installing
What to check before installing/running: - Dependencies: The metadata only mentions puppeteer-core, but the code uses puppeteer-extra and puppeteer-extra-plugin-stealth. Make sure package.json lists all needed packages or run npm install for the additional modules before running. - Environment vars: Set CHROMIUM_PATH (path to Chrome/Chromium) and XHS_DATA_DIR as instructed. The skill's declared requirements do not list these, so you must provide them manually. - Remote debugging risk: run.sh and instructions start Chrome with --remote-debugging-port. If that port is reachable from other machines, the browser can be remotely controlled. Only launch remote debugging on a trusted, firewalled host (bind to localhost or block the port externally). - Persistent session data: the skill stores browser user-data and history.csv in the data directory. Do not run this on a machine containing sensitive accounts unless you accept stored session artifacts. Do not commit config.js or data/ to a public repo. - Feishu (Lark) / Bitable: notify.example.js shows where you would put tokens. Only copy secrets into notify.js after auditing it. If you add app tokens, the skill will send data externally — review and limit what is sent. - Run in isolation: consider running in a dedicated environment (VM/container) to reduce risk of browser remote-control or accidental data leakage. - Safety improvements: ask the author for a complete package.json, explicit list of required env vars in metadata, and a note about binding remote-debugging to localhost. If you cannot get that, treat the skill as requiring manual vetting before use. Overall: the project appears to do what it says, but the metadata/documentation mismatches and the operational choices (remote debugging, persistent sessions, incomplete declared dependencies) are reasons to review and harden it before deploying on a sensitive host.
scheduler.js:24
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📕 Clawdis
Binsnode
EnvPATH
automationvk97f20c7tqjs94x190jrn1vdbn82s9wcfeishuvk97522exdv5wa8mtfxf5zq4mn982sas8latestvk97522exdv5wa8mtfxf5zq4mn982sas8monitoringvk97522exdv5wa8mtfxf5zq4mn982sas8social-mediavk97522exdv5wa8mtfxf5zq4mn982sas8xiaohongshuvk97522exdv5wa8mtfxf5zq4mn982sas8
265downloads
0stars
2versions
Updated 8h ago
v1.0.1
MIT-0
Roy@cstdr
automationfeishulatestmonitoringsocial-mediaxiaohongshu
Download

小红书竞品监控系统 (xhs-monitor)

自动采集小红书竞品账号的笔记,解析有价值内容,推送到飞书。

功能

  • ✅ 自动采集多个竞品账号的笔记
  • ✅ 本地去重(避免重复推送)
  • ✅ 智能解析(提取标题、正文、商品、直播时间)
  • ✅ 飞书卡片推送
  • ✅ 定时自动运行(14:06 / 18:06 / 21:06)
  • ✅ 支持手动触发

安装

方式一:使用 ClawHub 安装(推荐)

# 安装 Skill
npx clawhub@latest install xhs-monitor

# 或使用 clawhub CLI
clawhub install xhs-monitor

方式二:手动安装

# 克隆项目
git clone https://github.com/你的用户名/xhs-monitor.git
cd xhs-monitor

# 安装依赖
npm install puppeteer-core

3. 配置

# 复制配置模板
cp config.example.js config.js
cp notify.example.js notify.js

4. 配置账号

编辑 config.js

// 竞品账号列表(必填)
// 从小红书用户主页URL获取:xiaohongshu.com/user/profile/用户ID
const ACCOUNTS = [
  { name: '账号名1', id: '用户ID1' },
  { name: '账号名2', id: '用户ID2' },
];

// 账号主页URL映射(用于跳转链接)
const ACCOUNT_URLS = {
  '账号名1': 'https://www.xiaohongshu.com/user/profile/用户ID1',
  '账号名2': 'https://www.xiaohongshu.com/user/profile/用户ID2',
};

5. 启动浏览器(调试模式)

首次需要手动启动浏览器并扫码登录:

# Mac
export CHROMIUM_PATH="/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
"$CHROMIUM_PATH" \
  --remote-debugging-port=9223 \
  --user-data-dir="$HOME/xhs-monitor/data/browser" \
  "https://www.xiaohongshu.com/"

# 或使用 run.sh(自动检测)
bash run.sh

扫码登录后,浏览器保持打开状态即可。

6. 运行

cd xhs-monitor/src
node main.js

配置说明

config.js

参数说明示例
ACCOUNTS监控的账号列表{ name: '账号名', id: '用户ID' }
ACCOUNT_URLS账号主页URL映射用于跳转链接

notify.js(可选)

如需使用飞书通知,需要:

  1. 配置飞书应用权限:im:message.send_as_user
  2. 如需写入多维表格,配置 BITABLE_CONFIG

项目结构

xhs-monitor/
├── src/
│   ├── main.js         # 主程序入口
│   ├── config.js      # 账号配置 ⚠️ 需复制 config.example.js
│   ├── config.example.js  # 配置模板
│   ├── notify.js      # 飞书推送 ⚠️ 需复制 notify.example.js
│   ├── notify.example.js  # 推送模板
│   ├── parser.js      # 内容解析
│   ├── dedupe.js      # 去重模块
│   └── scraper.js     # 浏览器采集
├── data/
│   └── history.csv    # 历史记录(自动生成)
└── README.md

使用方式

手动运行

node src/main.js

定时任务(Mac)

编辑 crontab:

crontab -e

# 添加以下行:
6 14 * * * /usr/bin/node /path/to/xhs-monitor/src/main.js
6 18 * * * /usr/bin/node /path/to/xhs-monitor/src/main.js
6 21 * * * /usr/bin/node /path/to/xhs-monitor/src/main.js

常见问题

Q: 浏览器需要一直开着吗?

A: 是的,首次登录后保持浏览器打开,程序会复用会话。

Q: 为什么抓不到内容?

A: 检查浏览器是否以调试模式运行(--remote-debugging-port=9222)。

Q: 如何添加新账号?

A: 编辑 config.js 中的 ACCOUNTS 数组。

待优化

  • 多维表格自动写入
  • LLM智能解析
  • 笔记详情链接获取
  • 登录状态自动检测

Comments

Loading comments...