xiaohongshu-extract
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it says—fetch a public Xiaohongshu link and extract metadata—with minor cautions about outbound URL fetching and incomplete dependency/provenance metadata.
This skill is reasonable to use for public Xiaohongshu links. Provide only public XHS URLs, avoid using it on private/internal URLs, and choose any --output file path deliberately. For better assurance, the maintainer should declare Python/package requirements and add an explicit Xiaohongshu domain allowlist.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If given a non-XHS or internal/private URL, the script may still attempt to contact it, even though it is intended for public Xiaohongshu links.
A user-supplied URL is passed directly to an outbound HTTP GET. This matches the stated XHS extraction purpose, but the visible code does not show domain validation restricting requests to Xiaohongshu.
parser.add_argument("url", help="XHS share or discovery URL") ... requests.get(url, allow_redirects=True, timeout=timeout, headers={"User-Agent": DEFAULT_UA})Use only public Xiaohongshu share or discovery URLs. A maintainer could add an explicit XHS domain allowlist before making the request.
The skill may rely on the local Python environment and dependencies being present, and the registry metadata does not fully describe that setup.
The skill directs users or agents to run a bundled Python script, while the provided install information says there is no install spec and the registry lists no required binaries or environment setup.
python scripts/xiaohongshu_extract.py "<xhs_url>" --pretty
Before relying on it, confirm the bundled script is the expected code and that Python plus required packages such as requests are available. Maintainers should declare runtime dependencies explicitly.