rednote(xiaohongshu,xhs)
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its Rednote purpose, but it can use your logged-in account to publish, comment, follow, like, and save content while storing session cookies locally.
Install only if you are comfortable letting the skill operate your Rednote account through a browser session. Keep rednote_cookies.json private, review all publish/comment/follow/like actions before they run, and consider adding manual approval steps for any public or account-mutating action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked on the wrong input or by an over-eager agent, the skill could publish or engage from the user's Rednote account.
These documented commands can mutate a logged-in social account and publish public content. The artifacts show direct execution paths but do not show an explicit confirmation or preview step before these high-impact actions.
- **Comment on Note**: `python scripts/comment_note.py <NOTE_URL> <COMMENT_TEXT>` - **Follow User**: `python scripts/follow_user.py <NOTE_URL>` - **Publish Note**: `python scripts/publish_note.py --image-urls <IMG1 [IMG2 ...]> --title <TITLE> --content <CONTENT> --tags <TAG1 [TAG2 ...]>`
Require explicit user approval before publish, comment, follow, like, or collect actions; add a preview/dry-run mode and validate that note URLs are intended xiaohongshu.com URLs.
Anyone or any process that can read this file may be able to reuse the user's Rednote session.
The skill saves Playwright browser storage state, including login/session cookies, to a local file for later authenticated use.
cookies_file = "rednote_cookies.json" storage_state = context.storage_state(path=cookies_file)
Store the cookie file securely, do not share it, delete it when no longer needed, and declare this credential/config path clearly in metadata.
The user must trust the package source and the browser-driver installation performed in their environment.
The skill relies on manual, unpinned dependency installation rather than a reviewed install spec or lockfile.
- Playwright (install with `pip install playwright`) - Playwright drivers (install with `playwright install`)
Provide a pinned install spec or lockfile, and users should install dependencies only from trusted package sources.