Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
小红书自动化
v1.0.1小红书自动化 — 用 exec 工具运行脚本来登录、发布、爬热点、AI 生成图文。所有操作必须通过 exec 工具执行 uv run 命令,不要用 browser 工具。
⭐ 3· 1.1k·6 current·7 all-time
byPearl@pearl799
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, required binary (uv), and required env vars (XHS_TOOLKIT_DIR, IMAGE_API_KEY, IMAGE_BASE_URL, IMAGE_MODEL) align with an automation toolkit that generates images and publishes posts. Requiring Chrome and local cookie storage is coherent for a web-automation/publishing tool. The only mildly odd item is marking a directory path (XHS_TOOLKIT_DIR) as the primaryEnv, but this is explainable because the skill invokes a local project.
Instruction Scope
SKILL.md explicitly instructs the agent to run local scripts via exec (uv run) and to not use the browser tool — this is a directive that changes tool selection (a prompt-injection pattern). The shipped scripts open Chrome (Selenium), load/save cookies, modify user config (~/.openclaw/openclaw.json), and can automatically publish content. Those actions are within the claimed purpose but are sensitive: cookies and Chrome profile are read/written, and scripts call a local OpenClaw gateway and external image-generation APIs. The SKILL.md also references optional tokens (OPENCLAW_GATEWAY_TOKEN) and data directories not listed as required envs, and a pre-scan found unicode-control-chars inside SKILL.md (possible attempt to influence processing).
Install Mechanism
Installer is a repository-provided install.sh which copies files into ~/.openclaw/skills/xhs, installs Python deps via uv, and injects entries into the user's openclaw.json. The declared brew formula (uv) is reasonable. The install writes files to the user's home and updates config — expected for this type of skill, but it's persistent and should be inspected before running. No third-party arbitrary binary download URLs were noted in the metadata, but the installer will run uv sync and uv pip which pull dependencies from package indexes.
Credentials
Requested env vars (toolkit dir and image-generation API info) are appropriate for generating images and running the local toolkit. However, the skill will create and read a cookies file (~/.openclaw/credentials/xhs_cookies.json) and writes image API keys and gateway token to openclaw.json during install — both are sensitive credentials. The optional OPENCLAW_GATEWAY_TOKEN (used for local gateway calls) is not strictly required but the scripts will attempt to talk to http://127.0.0.1:18789 and will include a token if present.
Persistence & Privilege
always:false (good). The installer and runtime create persistent files (skill files under ~/.openclaw, Chrome profile directory, cookies file, and edits openclaw.json). Autonomous invocation (disable-model-invocation:false) is allowed by default; combined with the skill's ability to publish posts and run a pipeline that can operate in 'auto' mode, this increases blast radius if the skill is misused. The skill does not declare it will modify other skills' configuration beyond adding its own entry, which matches the installer behavior.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contains unicode control characters detected by pre-scan. This is not needed for automation and can be used to manipulate tool parsing or hide instructions; combined with the explicit 'do not use browser tool' directive it looks like a prompt-injection attempt to force use of exec-based scripts.
What to consider before installing
This skill appears to be a coherent Xiaohongshu automation toolkit, but it performs sensitive, persistent actions: it will copy code into ~/.openclaw, install Python dependencies, modify your openclaw.json, create a Chrome profile and store site cookies (which allow posting as your account), and can run an automated 'auto' publish pipeline. Additional cautions:
- Review code before running the installer: inspect scripts under xhs-toolkit/src, especially server/auth modules (smart_auth_server.py, mcp_server.py, cookie_manager.py) for any unexpected network endpoints or server behavior.
- Do not paste real credentials (IMAGE_API_KEY, OPENCLAW_GATEWAY_TOKEN) until you trust the repository; consider using limited-scope API keys or test accounts.
- Back up ~/.openclaw/openclaw.json before installer modifies it and inspect what values the installer writes.
- The SKILL.md contains an instruction forbidding use of the browser tool and the file has unicode-control-chars — this is a prompt-injection pattern. Prefer to run the toolkit in an isolated environment (VM or container) first and step through installer actions manually.
- Because the skill can auto-publish, avoid enabling or triggering the 'auto' mode until you have tested the pipeline in preview/dry-run mode and validated that saved cookies and publishing behavior are correct.
If you want to proceed safely: clone the repo locally, inspect the files indicated above, run installer steps manually (copy files, run uv sync) while watching what gets written to disk, and consider limiting network access for the skill during initial tests.Like a lobster shell, security has layers — review code before you run it.
latestvk97eyqz9ta24sfmqn87te6kn3x81n3ha
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📕 Clawdis
Binsuv
EnvXHS_TOOLKIT_DIR, IMAGE_API_KEY, IMAGE_BASE_URL, IMAGE_MODEL
Primary envXHS_TOOLKIT_DIR
Install
Install uv (brew)
Bins: uv
brew install uv