RedNote Publish Auto

The skill bundle automates Xiaohongshu (XHS) posting but handles highly sensitive session cookies (XHS_COOKIE). The script `scripts/publish_xhs.py` includes an `ApiPublisher` class that transmits these cookies to a configurable remote endpoint (`XHS_API_URL`). While presented as a feature for a helper service, this functionality provides a direct mechanism for credential exfiltration if the environment variable is pointed to an untrusted server. Additionally, `SKILL.md` instructs the agent to access secrets from a specific hidden path (`~/.openclaw/workspace/.xhs_cookie.env`), and the rendering scripts (`scripts/render_xhs.py` and `scripts/render_xhs.js`) utilize Playwright to execute browser-based rendering, which increases the local attack surface.