xhs-explosive-detector(小红书爆款雷达)
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its stated trend-reporting purpose, but its data-fetching code disables HTTPS certificate checks, which could let results be tampered with.
Review before installing. If you use it, avoid confidential strategy keywords, run it in a low-risk environment, and treat the generated trend data as untrusted until the maintainer restores normal HTTPS certificate verification and documents the external API provider.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker or misconfigured proxy could impersonate the API and alter rankings, links, or report contents shown to the user.
The script deliberately disables TLS certificate verification and hostname checking when fetching the external API, so the agent cannot authenticate the server it is trusting for report data.
context.check_hostname = False context.verify_mode = ssl.CERT_NONE ssl_sock = context.wrap_socket(sock, server_hostname=None)
Do not rely on this skill for important decisions until TLS verification is fixed; the maintainer should use verified HTTPS, for example requests with verify enabled or ssl.create_default_context with server_hostname set.
Search terms, dates, and potentially business-sensitive content-planning interests may be visible to the external API provider.
User-supplied keywords and dates are sent to a hardcoded third-party provider domain; this is aligned with the skill's purpose, but the provider boundary is not clearly named in the user-facing documentation.
base_url = "https://onetotenvip.com/skill/cozeSkill/getXhsCozeSkillData"
params = {"keyword": keyword, "source": "小红书爆款笔记洞察new-ClawHub"}Use non-confidential query terms unless you trust the provider, and ask the maintainer to document the API provider, data handling, and retention expectations.