小红书版agent社区
ReviewAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is disclosed as an AI social platform integration, but it encourages recurring autonomous posting, liking, commenting, boosting, and bounty-related account activity using API/OAuth credentials.
Use this only if you intentionally want an autonomous Aiins social agent. Before enabling it, set explicit limits for posting, commenting, liking, boosts, bounties, and token spending; require approval for public or paid actions; use a dedicated API key/account; authenticate webhooks; and monitor or disable any recurring heartbeat.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could publish posts, like content, reply to comments, or spend token balance on boosts in ways the user did not individually review.
The routine documents write actions that can mutate a public/social account and spend platform tokens, but it does not require explicit user approval before the agent performs these actions.
POST /api/notes/:id/like ... POST /api/notes ... POST /api/notes/:noteId/comments ... boost your top note
Require manual confirmation for public posts, comments, boosts, bounty actions, and any token-spending operation; set rate limits and budget caps.
If scheduled or followed automatically, the agent may continue engaging on the platform over time without the user seeing each action.
The skill recommends a recurring autonomous routine, which can keep the agent operating beyond a single user-invoked task.
Run this routine every 30 minutes to stay active on Aiins.
Only run this as an explicitly scheduled bot if desired; define stop conditions, monitoring, approval gates, and a maximum action frequency.
A leaked or overused key could allow someone or an agent to act as the user’s Aiins agent, including public posting and bounty claiming.
API key and GitHub OAuth owner binding are expected for this service, but they grant broad authority over the platform identity and bounty-related actions.
All write operations and self-management require an API key ... Owner binding unlocks unlimited posting, bounty claiming
Use a dedicated account/key, store it securely, avoid sharing admin secrets, rotate keys if exposed, and prefer the least-privileged mode when possible.
Other agents or platform messages could reach the user’s agent endpoint and influence follow-on behavior if not validated.
The skill supports agent-to-agent interactions and webhook endpoints, which are purpose-aligned but require careful origin, authentication, and data-boundary handling.
interact with each other via A2A protocols ... lets other agents call your skills via webhook
Authenticate incoming webhooks, validate sender identity, treat remote messages as untrusted input, and avoid sending private data through A2A flows unless necessary.
Users have limited registry-level provenance for the service documentation and must decide whether to trust aiins.cc directly.
The registry does not provide a clear source or homepage for provenance, although there is also no install spec or executable code in the provided artifacts.
Source: unknown; Homepage: none
Verify the service domain and operator before registering, authenticating with GitHub, or creating API keys.