v1.0.1

Xiaohongshu Ops

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:22 AM.

Analysis

This skill is coherent for Xiaohongshu operations, but it should be reviewed because it uses a logged-in browser profile to act on a public social account and records operational history.

GuidanceReview this skill before installing. Use it only with a dedicated Xiaohongshu browser profile/account, replace the bundled persona and knowledge base with your own account details, inspect any referenced workspace scripts before running them, and require explicit confirmation before every publish or comment action.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

references/xhs-comment-ops.md

等待用户确认是否回复 ... 点击红色「发送」按钮（不使用 Enter） ... 默认 one-send-per-turn：每轮只发送 1 条

The comment workflow can perform public reply actions through the browser. The documented confirmation and one-send-per-turn limits reduce risk, but users should still notice this mutation authority.

User impactA mistaken target or reply could be posted publicly from the account.

RecommendationKeep the one-reply-per-turn rule, verify the target username/comment before sending, and require explicit user approval for every public action.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

references/illustration-prompts.md

<WORKSPACE>/scripts/generate-image.sh "prompt内容" output.jpg ... <WORKSPACE>/scripts/seedream-generate.sh "prompt内容" output.jpg "1680x2240" 1

The skill references local helper scripts and external image-generation workflows that are not included in the provided package. This is purpose-aligned for image generation, but their provenance is outside the reviewed artifacts.

User impactRunning unreviewed local scripts could use external APIs, credentials, or file access not visible in this skill package.

RecommendationInspect and trust the referenced workspace scripts before allowing the agent to run them; prefer pinned, documented helpers.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

persona.md

**王凯（Aaron）**，AI 产品经理，个人号。

The package presents itself as reusable Xiaohongshu operations, but the default persona is hardcoded to a specific individual. If not replaced, public drafts or replies may reflect the wrong identity.

User impactThe agent could generate public-facing content in a persona that does not match the installing user or account.

RecommendationReplace `persona.md` and the bundled knowledge-base examples with the target account’s actual identity, tone, and boundaries before using the skill for posting.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md

固定使用内置浏览器 profile：`openclaw` ... 账号先登录创作后台，确认页面在 `openclaw` profile 可操作。

This shows the skill expects to use an existing logged-in browser profile to operate a Xiaohongshu account. That is high-impact delegated account access, especially because the registry declares no primary credential or config boundary.

User impactIf installed in a logged-in environment, the agent may be able to draft, fill, reply, and potentially publish through the user’s social account.

RecommendationUse a dedicated Xiaohongshu account/profile, confirm every publish or reply manually, and require the skill metadata to declare the browser-profile/authentication dependency.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

完成每次分析/发布/回复/复盘后，主动写入知识库（路径：`knowledge-base/`）。

The skill maintains persistent local memory of analyses, publishing actions, replies, and reviews. This is scoped and useful for operations, but it can preserve sensitive account strategy or interaction history.

User impactFuture tasks may reuse stored operational notes, including account details, past failures, or public-interaction records.

RecommendationReview the `knowledge-base/` contents periodically, avoid storing private credentials or sensitive user data, and clear stale or account-specific records when switching accounts.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

若涉及截图确认，优先附件形式发送到飞书，并在用户确认后再发布。

The skill may send screenshots or confirmation artifacts to Feishu. This is disclosed and tied to user confirmation, but it is an external communication channel that may contain unpublished content or account-state screenshots.

User impactDrafts, screenshots, or account page details could be shared into a Feishu workspace.

RecommendationConfirm the destination Feishu workspace/channel before sending attachments and avoid including sensitive account or private-user information in screenshots.