xhs 多用户
v0.0.9Automate Xiaohongshu (小红书/Red) — search notes, publish content, interact (like/collect/comment/follow), scrape data, manage multiple accounts. Use when user...
⭐ 1· 202·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the code and scripts: Playwright-based automation for login, search, publish, interact, scrape and multi-account handling. The included anti-detect/stealth, fingerprint presets, cookie management, and CLI commands are expected for this purpose.
Instruction Scope
SKILL.md instructs the agent to run local npm/tsx scripts, read/save per-user cookie files and QR images (users/*/tmp), and produce structured JSON outputs for channel integrations. It also describes channel-specific behaviors (Feishu/WeChat/Enterprise WeChat) and expects the agent to handle image display and callback-triggered calls to the CLI. These instructions stay inside the skill's automation scope but give the agent discretion to handle/outbound messages and to present QR images — review how outputs (QR, cookies) are exposed to your agent or channels.
Install Mechanism
Install uses normal Node dependencies (playwright, tsx, commander, dotenv). Playwright's install step downloads browser binaries at runtime (npx playwright install chromium) which requires network access and writes browser artifacts locally — standard for browser automation but a higher install-surface than instruction-only skills.
Credentials
The skill requests no external API keys or platform credentials in metadata. It uses a local .env for optional PROXY, HEADLESS, BROWSER_PATH, etc., and stores cookies per user in repository directories. Channel integration (Feishu/WeChat) is documented but the skill does not declare required channel credentials — if you wire those up you will need to provide them separately. Storing cookies and proxy settings is necessary for the stated functionality; ensure you treat them as sensitive.
Persistence & Privilege
always is false and the skill does not request elevated agent/system privileges. It does write files within its working directory (users/, tmp/, cookies.json) and registers no global changes to other skills or system configs.
Assessment
This skill is coherent with its purpose — it automates Xiaohongshu using Playwright and includes anti-detection tooling and multi-account cookie storage. Before installing, consider: 1) Run it in an isolated environment or VM because Playwright will download and run browsers and the code exercises web automation. 2) Use secondary/test accounts (the README warns of detection/blocking). 3) Treat users/*/cookies.json and any .env values (PROXY, BROWSER_PATH) as sensitive; do not paste real account cookies into shared logs. 4) If you plan to integrate with Feishu/WeChat, note you'll need to supply credentials/robot tokens separately and review how callbacks are delivered. 5) If you are uncomfortable with anti-detection/fingerprint modification (designed to evade bot detection), audit the stealth code yourself. If you want a stricter assessment, provide the omitted source files (remaining 74 files) or point to a canonical upstream repository/commit for provenance verification.Like a lobster shell, security has layers — review code before you run it.
latestvk9781x2v8q982wevr6nxjeb66x83wh2c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📕 Clawdis
Binsnode, npx
Install
Install dependencies (playwright, tsx, commander, dotenv)