Skillv1.0.0

ClawScan security

小红书数据分析 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 5, 2026, 8:40 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally coherent for Xiaohongshu data analysis: included scripts operate on sample data and expect XHS_API_KEY / XHS_COOKIE if the user supplies real credentials; there is no hidden network endpoint or installer.
Guidance: This package appears to be a straightforward Xiaohongshu analytics toolbox implemented with local Python scripts that return sample data unless you provide credentials. Before installing or running: - Be cautious about providing real cookies or API keys (XHS_COOKIE, XHS_API_KEY). Cookies contain session credentials and can grant account access; only use credentials you control and understand the security/privacy implications. - The registry metadata did not declare the env vars the scripts expect (XHS_API_KEY, XHS_COOKIE). The SKILL.md documents them — confirm this mismatch with the publisher or the source before supplying secrets. - The code currently uses sample data and contains TODOs for real API calls; network/API behavior is not implemented, but if you or a future maintainer add real HTTP calls, review them to ensure they call official endpoints and respect rate limits and platform terms. - Do not run these scripts with high-frequency automated requests against Xiaohongshu without appropriate authorization; follow platform rules and rate limits. - Source is unknown; if you need higher assurance, obtain the skill from a trusted source or review & run the code in an isolated environment first. If you want, I can (1) point out specific lines that expect env vars and where to safely sanitize output, or (2) produce a checklist for safely testing the skill in a sandbox.

Review Dimensions

Purpose & Capability: okName/description (小红书数据分析) match the delivered files and functions: search, author analysis, trend, compare, and report generation. The scripts' behavior (returning sample data unless credentials are provided) is consistent with the stated purpose.
Instruction Scope: okSKILL.md instructs how to run the included scripts and how to set API/Cookie; it does not direct the agent to read unrelated files, exfiltrate secrets, or post data to unknown endpoints. The instructions acknowledge alternative data sources and rate-limiting concerns.
Install Mechanism: okNo install spec; this is an instruction-plus-local-scripts skill. All code is included in the package; there are no downloads, URL fetches, or archive extraction steps that would write arbitrary code to disk at install time.
Credentials: noteThe scripts read XHS_API_KEY and XHS_COOKIE (and optional REQUEST_DELAY/REQUEST_TIMEOUT) from environment, which is appropriate for this skill. However, the registry metadata lists no required env vars — a minor mismatch: the skill expects credentials documented in SKILL.md but the manifest did not declare them.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request persistent/privileged presence nor modify other skills or system settings.