xiaohongshu-extract
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If given a non-XHS or internal/private URL, the script may still attempt to contact it, even though it is intended for public Xiaohongshu links.
A user-supplied URL is passed directly to an outbound HTTP GET. This matches the stated XHS extraction purpose, but the visible code does not show domain validation restricting requests to Xiaohongshu.
parser.add_argument("url", help="XHS share or discovery URL") ... requests.get(url, allow_redirects=True, timeout=timeout, headers={"User-Agent": DEFAULT_UA})Use only public Xiaohongshu share or discovery URLs. A maintainer could add an explicit XHS domain allowlist before making the request.
The skill may rely on the local Python environment and dependencies being present, and the registry metadata does not fully describe that setup.
The skill directs users or agents to run a bundled Python script, while the provided install information says there is no install spec and the registry lists no required binaries or environment setup.
python scripts/xiaohongshu_extract.py "<xhs_url>" --pretty
Before relying on it, confirm the bundled script is the expected code and that Python plus required packages such as requests are available. Maintainers should declare runtime dependencies explicitly.