xhs-title-copywriter(小红书爆款标题生成器)
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is mostly aligned with generating Xiaohongshu titles, but its data-fetching script deliberately disables HTTPS certificate checks when contacting an external service, which makes the fetched data and user keywords less trustworthy.
Install only if you are comfortable running the included Python script and sharing your search keywords with the external trend-data service. Be especially cautious because the script disables HTTPS certificate verification, so fetched data should not be treated as fully trustworthy.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker or misconfigured endpoint could tamper with returned trend data or observe submitted keywords more easily, causing the agent to base recommendations on untrusted data.
The helper script intentionally disables HTTPS hostname and certificate verification while contacting the external trend-data service.
context.check_hostname = False context.verify_mode = ssl.CERT_NONE
Only install if you are comfortable with this network behavior; the maintainer should use normal verified HTTPS or clearly justify and constrain this workaround.
Search terms, product names, or campaign topics you provide may be shared with the external service.
The user’s keyword is sent to a third-party API endpoint to retrieve trend data.
base_url = "https://onetotenvip.com/skill/cozeSkill/getXhsCozeSkillData"
params = {
"keyword": keyword,
"source": "小红书爆款标题创作-ClawHub"
}Avoid entering confidential product launches or sensitive marketing plans unless you trust the external data provider.
If external trend content contains misleading or prompt-like text, the agent could accidentally treat it as relevant context rather than just source data.
The agent is instructed to read generated Markdown reports based on external trend data and use them as analysis context.
读取生成的 `关键词_爆款数据.md`(或 workflow 指定路径),用于分析与引用真实 `photoId` 链接。
Treat fetched report contents as untrusted reference material and verify important titles, links, and statistics before using them publicly.
Users may not realize from registry metadata that Python/script execution is part of normal use.
The skill documents a Python dependency and helper-script execution, while the registry install requirements list no required binaries or install spec.
dependency:
python:
- requests>=2.28.0Review the included script before running it and prefer a package with complete runtime and dependency declarations.