小红书图文创作
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a normal Xiaohongshu content generator, but it deserves review because its recommended image workflow can start an exposed callback/tunnel using helper scripts not included in the package and it reads an API key.
Before installing, decide whether you will use the Seedream path or the KIE path. If using Seedream, create only the intended API-key credential file and verify the endpoint. Avoid the KIE callback/tunnel workflow until the missing helper scripts are provided and reviewed, and if you run any tunnel or callback service, stop it after the image is generated.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The image workflow may fail or may require running extra, unreviewed code outside the supplied skill package.
The recommended KIE image workflow depends on helper scripts that are referenced by the instructions but are not present in the provided file manifest, leaving the executable provenance and required setup unclear.
python3 ${SKILL_DIR}/scripts/kie-callback-server.py & ... python3 ${SKILL_DIR}/scripts/kie-create-task.py ... python3 ${SKILL_DIR}/scripts/kie-wait-download.pyDo not use the KIE workflow until the missing helper scripts and required binaries are supplied, reviewed, and declared; otherwise prefer the included Seedream script.
A local service could remain running or reachable longer than intended while the tunnel is active.
This starts a local callback server in the background and exposes it through a public Cloudflare tunnel, but the artifacts do not document shutdown, origin checks, or scope limits.
python3 ${SKILL_DIR}/scripts/kie-callback-server.py &
cloudflared tunnel --url http://127.0.0.1:8787Run callback/tunnel commands only when necessary, stop both processes immediately after image generation, and document the callback server’s accepted routes and validation behavior.
Running the Seedream image path requires access to a provider API key and sends the cover prompt to the configured image API endpoint.
The included Seedream script reads a local API key and uses it as a bearer token for the image-generation API; this is purpose-aligned, with no hardcoded or logged key shown, but it is sensitive credential access.
CREDENTIALS_FILE = "/root/.openclaw/credentials/seedream.json" ... "Authorization": f"Bearer {API_KEY}"Store only the intended Seedream API key in that credential file, verify the endpoint, and avoid placing unrelated secrets there.