小红书MCP增强版 by Chaceclaw

v1.0.1

小红书（RED/XHS）自动化助手。提供完整的小红书操作能力：登录、发布图文/视频、搜索笔记、浏览详情、点赞收藏评论、查看博主主页、内容策划。当用户提到小红书、红书、XHS、RED、发笔记、搜笔记、小红书运营等任何与小红书相关的操作时使用此 skill，即使用户没有明确说"小红书"但描述的场景明显是小红书（如"...

⭐ 0· 80·0 current·0 all-time

byChace@ling-qian

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for ling-qian/chaceclaw-xiaohongshu-enhanced.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "小红书MCP增强版 by Chaceclaw" (ling-qian/chaceclaw-xiaohongshu-enhanced) from ClawHub.
Skill page: https://clawhub.ai/ling-qian/chaceclaw-xiaohongshu-enhanced
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install chaceclaw-xiaohongshu-enhanced

ClawHub CLI

Package manager switcher

npx clawhub@latest install chaceclaw-xiaohongshu-enhanced

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

✓

Purpose & Capability

Name/description match the content: all files are XHS-focused and consistently require an external xiaohongshu-mcp MCP service (check_login_status, post_note, search_feeds, etc.). Asking the user to provide cookies/tokens and local config files is proportionate to an automation assistant for a web service.

ℹ

Instruction Scope

SKILL.md files are narrowly scoped to XHS operations and repeatedly require use of the xiaohongshu-mcp tool; they explicitly forbid substituting other tooling. They instruct saving cookies/tokens under ~/.config/xiaohongshu and show an optional webhook_url for refresh notifications — the webhook option could be used to send sensitive info externally if misconfigured, so treat it as a potential exfiltration vector.

Install Mechanism

There is no enforced install spec in the skill bundle, but the setup guide recommends running npx xiaohongshu-mcp@latest and docker pull xiaohongshu-mcp:latest. Those commands fetch and run code from external registries/images with no homepage, author provenance, or verified release information in the skill metadata — this is reasonable for a connector but increases supply-chain risk and warrants verifying the package/image source before running.

ℹ

Credentials

The skill declares no required env vars, which is coherent, but it instructs storing highly sensitive authentication material (browser cookies, device_id, tokens) in ~/.config/xiaohongshu/*. Those are necessary for account automation but are sensitive by nature. The optional webhook_url field in the config could forward notifications (and, if misused, secrets) to external endpoints — optional but high-impact if misconfigured.

✓

Persistence & Privilege

always:false and no unusual persistence requests. The skill expects the platform to have an MCP connector available; autonomous invocation (default) would allow it to call MCP tools to act on accounts, which is expected for this type of automation. This becomes higher-risk only if combined with untrusted MCP installs or exposed credentials.

Scan Findings in Context

[no_regex_matches] expected: The static regex scanner found nothing to analyze; this is typical for an instruction-only skill composed of docs/recipes. Absence of matches is not evidence of safety—manual review of installation recommendations and config handling is necessary.

What to consider before installing

This skill appears to do what it says (automate Xiaohongshu via an external MCP service) but you should not blindly run its suggested installers or paste credentials into files without verifying the MCP implementation. Before installing/using: - Inspect the xiaohongshu-mcp package/image source (npm and Docker publisher, repository, and code) and prefer official/verified releases. - Treat the ~/.config/xiaohongshu cookies/tokens as full-account credentials: do not share them, store with strict permissions, and avoid keeping plaintext backups. - Avoid setting webhook_url to an untrusted external endpoint; it could leak refresh notifications or be abused. If you need notifications, use a trusted internal endpoint. - Run new MCP installs in an isolated environment (container or VM) and limit network access where possible. - Consider manual token refresh and local-only operation if you cannot validate the MCP package. If you cannot verify the upstream MCP tool and publisher, classify this skill as high-risk and do not provide your account cookies or enable automated operations.

Like a lobster shell, security has layers — review code before you run it.

latestvk973fb6btrv2hz9yy31crw1vzs85dmkg

80downloads

0stars

1versions

Updated 5d ago

v1.0.1

MIT-0

你是小红书自动化助手，通过 xiaohongshu-mcp 的 MCP 工具帮助用户操作小红书。

前置检查（每次执行必做）

所有小红书操作依赖 xiaohongshu-mcp 提供的 MCP 工具（如 check_login_status、search_feeds 等）。执行任何操作前，先确认这些工具是否可用：

判断方法：检查当前可用的 MCP 工具列表中是否存在 check_login_status。

工具存在 → 正常执行后续流程
工具不存在 → 说明 xiaohongshu-mcp 服务未配置。直接告知用户：「小红书 MCP 服务尚未连接，请先运行 /setup-xhs-mcp 完成部署和配置。」不要尝试用其他工具（如 Playwright、WebFetch）代替。

意图识别与路由

根据用户输入判断意图，然后直接按对应子 skill 的指令执行。如果意图不明确，先询问用户想做什么。

用户意图	执行	典型说法
安装部署	按 `setup-xhs-mcp` 执行	安装、部署、配置、第一次用、连不上
登录	按 `xhs-login` 执行	登录、扫码、切换账号、检查登录
发布内容	按 `post-to-xhs` 执行	发笔记、发图文、发视频、写一篇、上传
搜索	按 `xhs-search` 执行	搜索、找笔记、搜一下、有没有
浏览详情	按 `xhs-explore` 执行	推荐、首页、看详情、看评论
互动	按 `xhs-interact` 执行	点赞、收藏、评论、回复
查看用户	按 `xhs-profile` 执行	博主主页、看看这个作者
内容策划	按 `xhs-content-plan` 执行	选题、竞品分析、热门、涨粉

全局约束

MCP 连接优先：必须通过前置检查确认 MCP 工具可用后才能执行任何操作——不可用时只提示用户运行 /setup-xhs-mcp，禁止用 Playwright、WebFetch 或其他非 xiaohongshu-mcp 的工具替代
登录优先：MCP 连接就绪后，除安装部署外，操作前先用 check_login_status 确认登录状态——未登录的情况下调用其他工具会失败
用户确认：发布、评论等写操作执行前展示内容让用户确认——因为这些操作发出后无法撤回，代表用户的公开行为
参数来源：feed_id 和 xsec_token 必须从搜索或浏览结果中获取，不可编造——编造的参数会导致 MCP 工具报错

Comments

Loading comments...