Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
xiaohongshu-search
v1.0.0小红书内容搜索工具。通过 browser 工具操控已登录的 Chrome,搜索小红书公开笔记,提取标题、正文、话题标签、点赞数,分析消费趋势。用于市场调研中的消费者趋势研究。
⭐ 0· 103·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (search public Xiaohongshu notes and extract metadata) match the actions in SKILL.md (navigate search pages, extract title/content/tags/likes). Requiring browser automation to load and scrape pages is appropriate. The only mismatch is emphasis on an "already-logged-in Chrome"—searching public notes usually doesn't strictly require a logged-in account, so the instruction to use the user's logged-in session is not fully justified by the stated purpose.
Instruction Scope
SKILL.md instructs the agent to control a Chrome instance via remote debugging (open pages, click, snapshot, evaluate arbitrary JS in page context). Those actions will allow reading any content visible to that browser (including other sites, cookies, or private pages) and capturing full page snapshots; the instructions do not limit scraping to only public fields nor mention sanitization or explicit exclusion of private data. This broad access is a scope creep/risk relative to the claimed function of extracting public notes.
Install Mechanism
Instruction-only skill with no install spec and no code files. No packages or external downloads are requested, which minimizes installation risk.
Credentials
The skill requests no environment variables or credentials, which is proportional. However, its operational precondition—connecting to Chrome started with --remote-debugging-port and using an 'already-logged-in' profile—is effectively a request for powerful runtime access to the user's browser data. That capability is not expressed as an environment variable but is functionally equivalent to requesting privileged access and is not justified or constrained in the document.
Persistence & Privilege
always: false and normal autonomous invocation defaults. The skill does not request permanent presence or system-wide config changes in the SKILL.md.
What to consider before installing
This skill is coherent for web scraping Xiaohongshu, but it requires you to run Chrome with remote debugging and to use a logged-in browser session. Opening a remote-debugging port and letting an agent control an already-authenticated browser can expose cookies, other site data, and private pages. Before installing or using it: 1) Only run the skill against a dedicated Chrome profile or a disposable browser instance (not your daily browser). 2) Avoid using a profile that has other site logins or sensitive tabs open. 3) Prefer starting Chrome without personal accounts or use an automated/sandboxed environment (VM/container). 4) Confirm where snapshots/extracted data are stored or transmitted by whatever runtime will execute these browser commands. 5) If you need stronger assurance, ask the publisher for source code or a detailed security/sandboxing explanation; absence of a known source increases risk. Providing those details would raise confidence; lacking them, treat this skill as potentially able to access more than just public Xiaohongshu content.Like a lobster shell, security has layers — review code before you run it.
latestvk979qkm296hv6zh6fx71sd6pq183hjearesearchvk979qkm296hv6zh6fx71sd6pq183hjeasocial-mediavk979qkm296hv6zh6fx71sd6pq183hjeatrendsvk979qkm296hv6zh6fx71sd6pq183hjeaxiaohongshuvk979qkm296hv6zh6fx71sd6pq183hjea
License
MIT-0
Free to use, modify, and redistribute. No attribution required.