xiaohongshu-extract
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill Suspicious High-Entropy/Eval files: 1 The OpenClaw skill 'xiaohongshu-extract' is designed to extract metadata from Xiaohongshu URLs. The `SKILL.md` provides clear, benign instructions for the agent to use the bundled Python script `scripts/xiaohongshu_extract.py`. The Python script uses the `requests` library to fetch the user-provided URL and parses the HTML to extract JSON data. It includes standard features like writing output to a file, which is not indicative of malicious intent. There is no evidence of data exfiltration, malicious execution, persistence, or prompt injection attempts against the agent to perform actions outside the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If given a non-XHS or internal/private URL, the script may still attempt to contact it, even though it is intended for public Xiaohongshu links.
A user-supplied URL is passed directly to an outbound HTTP GET. This matches the stated XHS extraction purpose, but the visible code does not show domain validation restricting requests to Xiaohongshu.
parser.add_argument("url", help="XHS share or discovery URL") ... requests.get(url, allow_redirects=True, timeout=timeout, headers={"User-Agent": DEFAULT_UA})Use only public Xiaohongshu share or discovery URLs. A maintainer could add an explicit XHS domain allowlist before making the request.
The skill may rely on the local Python environment and dependencies being present, and the registry metadata does not fully describe that setup.
The skill directs users or agents to run a bundled Python script, while the provided install information says there is no install spec and the registry lists no required binaries or environment setup.
python scripts/xiaohongshu_extract.py "<xhs_url>" --pretty
Before relying on it, confirm the bundled script is the expected code and that Python plus required packages such as requests are available. Maintainers should declare runtime dependencies explicitly.