小红书自动化
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-broad agent instruction could publish content to the user's Xiaohongshu account or damage the account's reputation.
The bot directly performs a public publishing action through the authenticated browser session, with no visible confirmation or preview step before clicking publish.
const publishBtn = await this.page.$('button:has-text("发布")'); ... await publishBtn.click(); ... console.log('笔记发布成功!');Require explicit user confirmation before publish/reply actions, show a preview of title/content/images/tags, and add clear dry-run or cancel behavior.
Anyone or any process that can access the saved session may be able to reuse the account session for Xiaohongshu actions.
The skill saves and reloads browser storage state for an authenticated Xiaohongshu account. That session file functions like a credential even though the registry metadata declares no primary credential.
sessionPath: process.env.XHS_SESSION_PATH || path.join(process.env.HOME, '.openclaw', 'xiaohongshu', 'session.json') ... storageState: this.loadSession() ... fs.writeFileSync(CONFIG.sessionPath, JSON.stringify(storage, null, 2));
Treat the session file as a credential, restrict filesystem permissions, clearly declare the credential/session behavior, and use logout/cleanup when automation is no longer needed.
Users may believe their login session is better protected than the provided code demonstrates.
The documentation claims encrypted session storage, but the visible implementation writes the storage state as JSON with fs.writeFileSync and shows no encryption mechanism.
- 会话状态加密存储
Either implement real encryption or OS keychain storage for session state, or remove the encryption claim and clearly document the actual protection model.
The installed dependency set may not match what the runtime code actually needs, causing confusion or unexpected package installation.
The skill metadata says it installs Puppeteer, while package.json depends on Playwright and the code imports Playwright. This is an install/provenance mismatch rather than direct malicious behavior.
"install": [{ "id": "node", "kind": "node", "package": "puppeteer", "bins": ["puppeteer"] }]Align the registry install metadata, package.json, package-lock.json, and README commands before use.