小红书每日爆款笔记推荐
ReviewAudited by ClawScan on May 15, 2026.
Overview
The skill’s main purpose is coherent, but it fetches data from an unlisted external host while disabling HTTPS certificate checks, so users should review it before installing.
Install only if you are comfortable with a third-party backend providing the ranking data. Prefer an updated version that enables normal HTTPS certificate verification, clearly discloses the data provider, and pins or bundles the HTML export libraries.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker or tampered endpoint response could modify rankings, links, or generated HTML content shown to the user.
The data-fetching client contacts an external HTTPS host while explicitly disabling hostname and certificate verification; the same TLS pattern is also flagged in the HTML generator.
host = "onetotenvip.com" ... context.check_hostname = False context.verify_mode = ssl.CERT_NONE
Enable standard TLS verification and SNI, fail closed on certificate errors, and sanitize or validate provider-returned URLs/content before rendering HTML.
Your search category/date is shared with this external service; no evidence shows credentials or local files being sent.
The skill sends query date/category parameters to a third-party backend rather than a clearly named Xiaohongshu endpoint.
host = "onetotenvip.com"
source = quote("小红书单日数据爆款文章-ClawHub")
path = f"/story/cozeSkill/getXhsCozeSkillDataOne?rankDate={rank_date}&source={source}&category={category_encoded}"Disclose the backend provider, its privacy/retention behavior, and avoid using sensitive personal terms as queries unless the provider is trusted.
Opening the generated HTML depends on third-party CDN JavaScript; if the CDN content is unavailable or compromised, the page behavior could change.
The generated HTML loads export libraries from a remote CDN at viewing time.
<script src="https://cdnjs.cloudflare.com/ajax/libs/html2canvas/1.4.1/html2canvas.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jspdf/2.5.1/jspdf.umd.min.js"></script>
Bundle or pin these libraries, use Subresource Integrity, and disclose that the HTML page loads third-party scripts.
If you subscribe, the agent may produce recurring daily hot-list outputs.
The skill advertises recurring daily push behavior, but presents it as a subscription option rather than hidden persistence.
自动订阅推送:支持每日19:30固定时间推送最新榜单到消息栏
Subscribe only if you want recurring messages, and verify that cancel/unsubscribe behavior works as described.