ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Xhs Spider

自动化的小红书数据采集工具。支持获取博主基本信息、下载图文视频,以及提取笔记评论导出为 Excel。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 260 · 1 current installs · 1 all-time installs
by@rimetli
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (XHS data collection) reasonably requires a Python runtime and an XHS session cookie to authenticate; those requirements are proportionate. However, the skill supplies no code, repository, or homepage — so it cannot run until a local 'cli.py' is present. The missing source makes intent and provenance unclear.
!
Instruction Scope
SKILL.md explicitly instructs the agent to call exec to run local commands like 'python cli.py --action ...'. That grants the agent permission to run arbitrary local Python code if present. The instructions do not include or verify the actual 'cli.py' implementation, do not restrict command parameters beyond examples, and do not describe safe handling of outputs. Because the skill relies on executing a local script of unknown provenance, there is risk the executed code could do more than described.
Install Mechanism
Instruction-only skill with no install spec and no external downloads — low supply-chain risk from the skill itself. The scanner had no files to analyze.
Credentials
Only XHS_COOKIE is requested, which is relevant for authenticated scraping. However, this cookie is a sensitive credential (session cookie) that could allow account access. Requiring a raw cookie is more sensitive than using an API token or OAuth flow; the skill does not explain how the cookie is used or stored.
Persistence & Privilege
Skill does not request persistent presence (always:false) and does not ask to modify other skills or global agent settings.
What to consider before installing
This skill describes running a local Python CLI that needs your XHS session cookie. Before installing or using it: (1) confirm you have the actual 'cli.py' script and inspect its source — the skill provides no code or homepage; (2) avoid pasting your XHS_COOKIE into chat or untrusted UIs; prefer scoped API credentials if available; (3) run any unknown scripts in an isolated environment (container or VM) and review network activity; (4) verify legal and terms-of-service implications of scraping the site; (5) if you don't have the script, don't set the cookie system-wide — the skill as-supplied cannot be validated and may execute arbitrary local code.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.1
Download zip
latestvk972cpp9nb5pq507wjnrghf1vs82pgnb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython
EnvXHS_COOKIE

SKILL.md

小红书采集技能 (XHS-Spider)

本技能提供一系列与小红书数据采集相关的本地脚本执行能力。当用户需要抓取小红书相关数据时,可参考以下指令格式调用本地 Python 脚本。

执行指令规范

请使用内置的 exec 工具执行以下命令。执行前请确保已激活对应的 Python 虚拟环境,并已设置 XHS_COOKIE 环境变量。

  • 获取博主基本信息:python cli.py --action profile --url "<用户主页链接>"
  • 抓取博主主页笔记:python cli.py --action user --url "<用户主页链接>"
  • 提取单篇笔记评论:python cli.py --action comment --url "<笔记链接>"
  • 关键词搜索抓取:python cli.py --action search --keyword "<关键词>" --num 10

抓取完成后,请读取终端输出的 Excel 或媒体文件路径,并反馈给用户。

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…