XHS_Content productionandpublishing
v1.0.1Automatically publish notes to Xiaohongshu (小红书) creator center. Generates cover images (PIL poster, multiple styles), writes content from templates, and pub...
⭐ 1· 238·1 current·1 all-time
by内容科学|Content Science@harveyzzzz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Xiaohongshu post generation + publishing) match the included scripts: content generation, cover image generation, login/save profile, and Playwright-based publishing. No unrelated binaries, credentials, or services are requested.
Instruction Scope
SKILL.md and scripts confine runtime actions to generating content/images, launching a local browser via Playwright, navigating creator.xiaohongshu.com, saving screenshots and profile data under the skill data directory. Instructions do not read system files or environment variables beyond the declared optional ones (data dir, profile dir, font path).
Install Mechanism
There is no automated install spec in the bundle; SKILL.md instructs users to pip install playwright and pillow and run 'playwright install chromium'. That will download a browser binary (expected for Playwright). No remote code downloads from untrusted URLs are present in the skill itself.
Credentials
The skill requires no secrets or primary credentials. Optional environment vars (SKILL_DATA_DIR, XHS_PROFILE_DIR, XHS_FONT_PATH) are appropriate for customizing storage and fonts. There are no unexpected TOKEN/KEY/PASSWORD env vars or references to other services.
Persistence & Privilege
always:false (good). The skill supports persisting a browser profile to disk (default temporary, but save_login.py forces a persistent .local/xhs_browser_profile). If a persistent profile contains an authenticated Xiaohongshu session, the agent (or an automated run) can publish posts without interactive login. Users should be aware this enables unattended posting if the profile is reused.
Assessment
This skill appears to do what it claims: generate content and images locally and automate posting to creator.xiaohongshu.com via a local Playwright browser. Before installing/using it: 1) Review the scripts locally and run them in an environment you control (not a production machine) so you can inspect behavior. 2) Be cautious about enabling persistence: if you run save_login.py it will store login cookies in a profile directory (default: .local/xhs_browser_profile) — anyone or any automated process with access to that directory could post as you. 3) Playwright will download a browser binary when you run 'playwright install chromium' — this is expected but may be large. 4) If you plan to allow autonomous agent invocation, understand the agent could run publish.py using any saved profile and post without further prompts; consider restricting autonomous use or using an ephemeral test account for initial runs. 5) There are no obvious exfiltration endpoints or secret reads in the code, but always run third-party code in an isolated environment if you have concerns.Like a lobster shell, security has layers — review code before you run it.
latestvk97d2627t9h7q3k1a4r6bqsrm182fjqm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.