小红书爆款文案创作(红狐数据)
ReviewAudited by ClawScan on May 15, 2026.
Overview
The skill matches its copywriting purpose, but its bundled trend-fetching script disables HTTPS certificate checks for a third-party API, which makes the fetched data and user search terms less trustworthy.
Install only if you are comfortable with your topic keywords being sent to the external trend provider and with optional style samples being processed by the agent. Avoid sensitive campaign terms or private diary text, review generated copy before publishing, and prefer a version that keeps HTTPS certificate verification enabled.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker or misrouted connection could impersonate the trend API or alter returned data, causing the agent to generate copy from manipulated trend information and potentially exposing the user's topic keyword.
The script intentionally disables hostname and certificate validation for an HTTPS request, then uses the response as the source for the agent's trend analysis.
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
ssl_sock = context.wrap_socket(sock)Use normal HTTPS client behavior with certificate validation and SNI, or implement a documented, validated alternative such as certificate pinning; fail closed if the provider cannot be verified.
Search topics or campaign keywords may be visible to the external provider.
The user's topic keyword is sent to an external trend-data provider. This is aligned with the skill's stated trend-fetching purpose, but the provider and data boundary are not clearly described in the user-facing SKILL.md.
base_url = "https://onetotenvip.com/skill/cozeSkill/getXhsCozeSkillData"
params = {
"keyword": keyword,
"source": "小红书笔记创作-ClawHub"
}Disclose the external provider and privacy expectations clearly, and avoid using sensitive internal campaign terms unless the provider is trusted.
Private diary-like text or personal details pasted as style samples could be processed by the agent.
The workflow asks the user to provide optional personal writing samples for style analysis. No persistence or onward transmission of those samples is shown, but the samples will enter the agent context.
想让我更懂你的风格?发几段平时的笔记、日记或随笔给我就行
Use non-sensitive writing samples and remove names, private events, or confidential business details before providing style references.