xhs-comment-scraper
v1.0.0小红书评论爬虫。当用户在聊天中发送一个小红书博主主页链接时,自动抓取该博主所有笔记下的评论区数据,保存为本地JSON文件,并生成分析可视化报告。触发条件:用户发送的链接包含 xiaohongshu.com/user/profile 或类似博主主页链接。
⭐ 1· 112·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (scrape Xiaohongshu comments, save JSON, generate report) match the provided instructions and the single Python helper. The skill asks for browser and exec capabilities in docs (to open Chrome and run Python) which is consistent with the stated functionality. No unrelated cloud credentials, services, or binaries are required.
Instruction Scope
Runtime instructions instruct the agent to open a local Chrome profile (profile="openclaw"), navigate the Xiaohongshu site, click to expand replies, extract document.body.innerText, and save files under the user's Downloads folder. This is within scope for a scraper but does involve reading full page text and taking screenshots (debugging). The docs require the user to scan a QR to log in—this gives the browser session access to the user's Xiaohongshu account and should be done knowingly. There is a minor internal inconsistency: the guidance says DOM selectors 'all invalid' for comments yet still uses querySelectorAll in places (acceptable for collecting note links but worth noting).
Install Mechanism
No install spec; instruction-only plus one small Python script (save_comments.py). Nothing is downloaded from arbitrary URLs or extracted to disk by the skill itself. This is low-risk from an install mechanism perspective.
Credentials
The skill declares no environment variables, credentials, or external tokens. It does require local browser and exec permissions (documented). It reads/writes files under the user's Downloads folder and references a local font path (C:\Windows\Fonts\STSONG.TTF) for plotting—these file accesses are proportional to generating reports and are explained in the docs.
Persistence & Privilege
always:false and disable-model-invocation:false (default autonomous invocation allowed). The skill does not request permanent system presence, nor does it modify other skills or system-wide configuration. It writes files only to user-downloads paths under its own scope.
Assessment
This skill appears to do what it claims, but before installing consider: (1) It will open a local Chrome window and ask you to scan a Xiaohongshu QR code — doing so gives that browser session access to your account, so only log in if you consent. (2) The skill writes JSON and report files to your Downloads folders and may take screenshots for debugging — review those files after a run. (3) It requires the agent's browser and exec tools (to control Chrome and run Python); grant those capabilities only if you trust the skill. (4) Scraping may trigger captchas or violate Xiaohongshu's terms of service—use responsibly. If you want more assurance, inspect the included scripts (save_comments.py) yourself and run the skill on a throwaway or non-sensitive machine/account first.Like a lobster shell, security has layers — review code before you run it.
latestvk9712e8vqf50vgdt83p414sc4x83gd2d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.