ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Xiaohongshu Skill

v1.1.0

小红书内容工具 Windows 原生版。 基于 Node.js + Playwright,直接控制本地 Chromium 浏览器, 无需 WSL、无需 Linux 二进制、无需 Python、无需任何外部服务。 核心功能: - 🔍 内容搜索 - 关键词搜索,分析热度排行 - 📊 话题报告 - 自动生成热点分析...

0· 171·0 current·0 all-time
by多动朕@ken0521
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Windows Xiaohongshu tool using Node.js + Playwright) match the included scripts (xhs-core.js and xhs.js). The code implements login, search, detail, publish, and track features described in SKILL.md. No unrelated cloud credentials, binaries, or external services are required by the code.
Instruction Scope
Runtime instructions and SKILL.md are consistent with the code: install playwright, download Chromium, run commands from a non-Chinese path, and use login which opens a browser for manual authentication. The skill reads/writes to %USERPROFILE%\.xiaohongshu-win (cookies, browser profile, reports) which is appropriate for storing session/profile data. One minor mismatch: SKILL.md mentions an '即梦AI' cover-generation integration, but no obvious references to an external AI service appear in the visible code (the core file was truncated in the listing—this could be implemented elsewhere).
Install Mechanism
There is no special install spec bundled; the project relies on npm (playwright) and npx playwright install chromium as documented—standard for Playwright. Playwright will download Chromium from its configured host (SKILL.md suggests using npm mirror if needed). No custom download URLs, shorteners, or unexpected installers are present in the repo files provided.
Credentials
The skill declares no required env vars but the code uses common environment variables: %USERPROFILE% for data storage and optional PLAYWRIGHT_BROWSERS_PATH / PLAYWRIGHT_DOWNLOAD_HOST for browser location/download mirror. It stores and updates site cookies (cookies.json) and a browser profile in the user's home directory—this is expected behavior for a browser automation tool, but users should understand these files contain session tokens and persistent profile data.
Persistence & Privilege
The skill does not request 'always: true' or elevated platform privileges. It persists data only under the user's profile directory (.xiaohongshu-win). Included migrate-and-test script will copy cookies from an older path and trigger a status check, which is consistent with a migration helper rather than an escalation of privileges.
Assessment
This skill appears to do what it says: control a local Chromium via Playwright to search, read, report on, and (optionally) publish Xiaohongshu content. Before installing, consider: (1) the tool will store login cookies and a persistent browser profile under %USERPROFILE%\.xiaohongshu-win — those files contain your session and should be protected; (2) publishing actions are supported — review and test publish flows in a safe account to avoid accidental posts; (3) Playwright will download a ~150MB Chromium binary from the Playwright download mirror unless you point it elsewhere; (4) SKILL.md mentions an AI cover-generation integration not visible in the shown code — if that feature is important, ask the author where that integration runs and whether it contacts an external API; (5) run the script from an account/workspace you trust (the author warns about paths with non-ASCII characters). If you need stronger assurance, review the remaining/truncated portions of xhs-core.js (publish/checkStatus implementations) and verify there are no unexpected network endpoints or telemetry before granting continued use.
scripts/xhs-core.js:16
Environment variable access combined with network send.
!
scripts/xhs-core.js:28
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

chinesevk977eg7dpsejvgapfgb37apj8h833t94latestvk978vvyw9hd8fnhc4kykav509983579ssocial-mediavk977eg7dpsejvgapfgb37apj8h833t94windowsvk977eg7dpsejvgapfgb37apj8h833t94xiaohongshuvk977eg7dpsejvgapfgb37apj8h833t94

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📕 Clawdis

Comments