Xhs Note Creator
v0.1.0小红书笔记素材创作技能。当用户需要创建小红书笔记素材时使用这个技能。技能包含:根据用户的需求和提供的资料,撰写小红书笔记内容(标题+正文),生成图片卡片(封面+正文卡片),以及发布小红书笔记。
⭐ 29· 6k·37 current·38 all-time
by@wusyx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (create Xiaohongshu notes, render image cards, optionally publish) match the included scripts and templates. However the registry metadata declares no required environment variables while the README/SKILL.md and env.example explicitly require an XHS_COOKIE for publishing — an incoherence between declared requirements and actual functionality.
Instruction Scope
Runtime instructions are specific: create Markdown, run render scripts (Python/Node) to produce images, and optionally run publish_xhs.py to post. Instructions tell the user to extract their browser Cookie via DevTools (normal for scripts that call a web service). The SKILL.md also mentions an optional 'api-mode' (xhs-api) which would route posts through a third-party service; the docs do not explain that service's endpoint or trustworthiness — you should review publish_xhs.py to see exactly what hosts it contacts.
Install Mechanism
There is no install spec for the skill bundle, but the project includes requirements.txt, package.json and uses Playwright. Installing and using the scripts will require pip/npm and downloading Playwright's browser binaries (large downloads and native components). Lack of an automated install spec means developers/users might run install commands manually — ensure you trust the package sources and review dependency lists (e.g., 'xhs' Python package and npm packages) before installing.
Credentials
Publishing requires the user's XHS_COOKIE (sensitive login cookie). The skill registry lists no required env vars, but env.example and SKILL.md instruct setting XHS_COOKIE and copying cookies from the browser. Requiring a full session cookie is proportionate to posting on behalf of the user but is sensitive — the skill should have declared this required credential up front and documented how publish_xhs.py stores/transmits it (it is not declared in the registry metadata).
Persistence & Privilege
The skill does not request elevated or persistent platform privileges (always:false). It contains scripts and templates but does not declare any config paths or forced installation. No evidence it modifies other skills or system-wide agent settings.
What to consider before installing
Key things to check before installing/using:
- Inspect scripts/publish_xhs.py and any network code: verify which endpoints are contacted (xiaohongshu.com vs any third-party 'xhs-api' host) and ensure you trust them. The SKILL.md mentions an optional api-mode — find out the default behavior.
- Do not paste your real XHS_COOKIE into public places. Treat the cookie as a full account credential. Prefer testing publish features with a throwaway/test account.
- The package depends on Playwright and node/python libraries; installing will download browser binaries (Chromium). Review requirements.txt and package.json and verify upstream package reputations (PyPI, npm) before running pip/npm install.
- Because the registry metadata omitted XHS_COOKIE, ask the author to declare required env vars in the skill manifest and explain how credentials are used/stored. Lack of declaration is an incoherence you should get clarified.
- If you only need rendering, skip the publish step and run render scripts locally after reviewing them. If you plan to use publish, read the publish script to confirm it does not exfiltrate data to unexpected third parties.
- If you are unsure, run the code in an isolated environment (VM or container) and examine outbound network connections during a test run.Like a lobster shell, security has layers — review code before you run it.
latestvk97acgj8zh46jgk40522pvk2tx80nq5t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.