ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Xiaohongshu Mcp Publisher

v1.1.0

小红书完整自动化流程:从新闻搜索到封面生成到发布。触发场景:(1) 发布小红书笔记,(2) 搜索新闻生成内容,(3) 生成封面图,(4) 完整自动化运营。关键词:小红书发布、xhs publish、小红书自动化、新闻发布。

0· 94·0 current·0 all-time
byshj_X@shaohaojie1

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for shaohaojie1/xiaohongshu-mcp-publisher.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Xiaohongshu Mcp Publisher" (shaohaojie1/xiaohongshu-mcp-publisher) from ClawHub.
Skill page: https://clawhub.ai/shaohaojie1/xiaohongshu-mcp-publisher
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install xiaohongshu-mcp-publisher

ClawHub CLI

Package manager switcher

npx clawhub@latest install xiaohongshu-mcp-publisher
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description describe searching, generating covers, and publishing to an MCP service. The included scripts implement cover generation (PIL) and publish via a local HTTP MCP service (localhost:18060), which is coherent with the stated purpose. However, the skill does not declare runtime dependencies (requests, Pillow) or the expectation that the MCP binaries be installed, and the publish script prints hardcoded macOS paths (/Users/mac/.openclaw/extensions/...) — an implementation detail that is platform- and user-specific and not described in SKILL.md.
Instruction Scope
SKILL.md stays within the publishing workflow (web_search → generate cover → call MCP API). It explicitly requires a local MCP service and absolute image paths. No instructions ask the agent to read unrelated system files or external accounts. But it assumes the agent or user can run local binaries, write to filesystem paths, and run the provided Python scripts. The SKILL.md omits mentioning required Python packages and does not caution about the hardcoded example binary paths.
!
Install Mechanism
There is no install spec (instruction-only), yet the bundle includes executable Python scripts expecting third-party libraries (Pillow, requests). Because nothing in the skill declares or installs these dependencies, a user/agent may attempt to run them in an environment where they are missing. This is an engineering/packaging omission rather than direct maliciousness, but it increases operational risk (script failures, unexpected behavior) and should be fixed.
Credentials
The skill requests no environment variables or external credentials, which is proportionate. The scripts contact only localhost:18060 (MCP service) and access local filesystem paths (image output and example binary paths). Access to the local filesystem and a local HTTP endpoint is expected for this purpose, but the presence of hardcoded macOS user paths and no explanation of where MCP binaries come from is a red flag for usability and potential misconfiguration.
Persistence & Privilege
The skill does not request always:true or any special persistent privileges. It is user-invocable and allows normal autonomous invocation; this is the platform default and appropriate for the use case. The skill does not modify other skills or global settings.
What to consider before installing
This skill appears to implement the advertised workflow (generate a cover image and post a note via a local MCP service), but there are a few things to check before installing or running it: 1) Verify the upstream source (the linked GitHub repo) to ensure the MCP binaries and login tool are trustworthy. 2) The package includes Python scripts but does not declare dependencies — you will need Pillow and requests; run them in a controlled virtualenv. 3) The publish script expects a local service at http://localhost:18060 and prints hardcoded macOS example paths — confirm the MCP service is actually installed and running on your machine (and update any paths to match your environment). 4) Because the skill talks to a local HTTP service and writes image files, run it in a sandbox or non-privileged account until you confirm behavior. 5) If you do not control or trust the MCP service binary referenced, do not run the publish step; validate that the service does not forward data externally. Resolving the missing dependency declarations and removing/parameterizing hardcoded paths would reduce the concerns noted here.

Like a lobster shell, security has layers — review code before you run it.

latestvk978tqrd3txkc7vc5hp8ahs6q584mp1s
94downloads
0stars
2versions
Updated 2w ago
v1.1.0
MIT-0
shj_X@shaohaojie1
latest
Download

小红书完整发布流程

从搜索内容 → 生成封面 → 发布笔记的完整自动化流程。

完整工作流

内容搜索 → 文案生成 → 封面生成 → MCP 发布

步骤详解

1️⃣ 内容搜索

使用 web_search 搜索新闻或热点话题,或用户指定主题。

2️⃣ 文案生成

AI 自动生成小红书风格文案:

  • 标题: 关键词 + 表情 + 数字/痛点(≤20字)
  • 正文: 痛点引入 → 核心内容 → 互动引导
  • 标签: 5-8 个 hashtag

3️⃣ 封面生成

使用 PIL 生成纯文字封面:

  • 尺寸: 1080x1440 (3:4)
  • 纯色背景 + 白色卡片 + 黑色大字
  • 关键词高亮

4️⃣ MCP 发布

通过 xiaohongshu-mcp 服务发布笔记。

前提条件:

  • MCP 服务已启动(默认端口 18060)
  • 已登录小红书账号

API 接口:

  • 登录状态: GET /api/v1/login/status
  • 发布笔记: POST /api/v1/publish

重要注意事项

图片路径格式

必须使用绝对路径,不能用 file:// 协议。

发布超时

发布需要 1-2 分钟,设置 timeout >= 180 秒。

发布频率

避免连续发布,间隔 ≥1 小时。

相关 Skill: xiaohongshu-auto-operator(更完整的自动化运营)

项目来源: xpzouying/xiaohongshu-mcp

Comments

Loading comments...