XHS Layout

小红书图文排版生成，JSON 入参。Use when: 用户要生成小红书风格多页图文、排版。

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 18 · 0 current installs · 0 all-time installs

bytianshu@wangshengli0421

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description (XHS layout) match the actual behavior: the skill reads JSON input and POSTs it to a configured xhs_generate endpoint. Requested items (TS_TOKEN and AIZNT_PROXY_URLS) are appropriate for calling an upstream API proxy.

ℹ

Instruction Scope

Runtime instructions and scripts only read the declared env vars and an optional --body-file. One small inconsistency: SKILL.md says the server converts JSON to form-urlencoded, but the script sends application/json. Otherwise the script stays within the declared purpose and does not access unrelated files or env vars.

✓

Install Mechanism

No install spec; this is an instruction-only skill with small helper scripts. Nothing is downloaded or written during install.

✓

Credentials

Only two env items are required: AIZNT_PROXY_URLS (URL map for proxies) and TS_TOKEN (auth token). Both are relevant and proportional to the skill's operation.

✓

Persistence & Privilege

always is false and the skill does not request persistent or elevated platform privileges. It does not modify other skills or system-wide configs.

Assessment

This skill will send any JSON you provide to whichever endpoint you place in AIZNT_PROXY_URLS.xhs_generate using the TS_TOKEN for Authorization. Before installing: 1) Ensure AIZNT_PROXY_URLS points to a trusted service (the skill will forward whatever data you give it). 2) Treat TS_TOKEN as sensitive — only supply a token with the minimal necessary scope and rotate it if you suspect misuse. 3) Note the minor doc/code mismatch: SKILL.md mentions form-urlencoded but the script sends application/json; confirm the upstream expects JSON. 4) Avoid sending unrelated secrets in the body argument. If you need higher assurance, verify the actual endpoint implementation or run the scripts in a controlled environment first.

✗

scripts/client.js:3

Environment variable access combined with network send.

Confirmed safe by external scanners

Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk97b95pms1vt1y1vbgqq5v0jkd83acv2layoutvk97b95pms1vt1y1vbgqq5v0jkd83acv2tianshuvk97b95pms1vt1y1vbgqq5v0jkd83acv2xhsvk97b95pms1vt1y1vbgqq5v0jkd83acv2

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvAIZNT_PROXY_URLS

Primary envTS_TOKEN

SKILL.md

小红书图文 (aiznt-xhs)

服务端将 JSON 转为 form-urlencoded 调上游。

node scripts/xhs.js --body '{"user_text":"标题与正文","page_count":3}'
node scripts/xhs.js

URL 键：xhs_generate。配置见 TsClaw「同步天树凭证」。

Files

5 total

Select a file

Select a file to preview.

Comments

Loading comments…