ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Xiaohongshu CN

v1.0.0

小红书分析 - 热门笔记发现、关键词监控、趋势分析(Instagram 中国版)

7· 6.1k·45 current·48 all-time
byGuohongbin@guohongbin-git
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Xiaohongshu analysis) match the content: instructions for discovering popular notes, keyword monitoring and trend analysis. It does not request unrelated credentials or system access.
!
Instruction Scope
SKILL.md explicitly recommends cloning and running third‑party scraping projects, performing '小程序抓包' (packet capture/intercepting mobile app traffic), and reverse engineering the API. Those instructions expand scope beyond safe, read-only guidance: they can collect sensitive data, may violate terms of service or law, and instruct the user to run unvetted code and network interception tools.
Install Mechanism
The skill is instruction-only (no install). However it instructs the operator to git clone and run external GitHub projects. That delegates installation/execution to third‑party code (supply‑chain risk). The skill itself does not fetch or embed code, but following its steps involves installing arbitrary external packages.
Credentials
The skill declares no required environment variables, credentials, or config paths. It does not request broad secrets or system access in its metadata. Note: practical use of recommended techniques (e.g., intercepting mobile traffic or running scrapers) may implicitly require device/proxy credentials, but those are not requested by the skill itself.
Persistence & Privilege
No install spec and no persistence requested. always is false and the skill does not attempt to modify other skills or system settings. It is agent-invocable in the normal way.
What to consider before installing
This skill is essentially a how-to for scraping Xiaohongshu (a site without a public API). Before using it: 1) Understand legal and ToS risks — packet capture, reverse engineering, or aggressive scraping can violate laws or the platform's rules. 2) Do not blindly run cloned repositories: review the GitHub code, check community reputation, and run in an isolated environment (VM/container) with least privilege. 3) Prefer official or paid data providers where available, respect robots.txt and rate limits, and avoid collecting personal/private data. 4) If you must use packet‑capture or proxy tools, ensure you have lawful authorization and are not intercepting other users' traffic. 5) The skill itself does not execute anything until you follow its instructions — treat those external commands as higher-risk operations and vet them accordingly.

Like a lobster shell, security has layers — review code before you run it.

chinavk97f2j52ns1qbdvfzrg51kqd2181fvw5latestvk97f2j52ns1qbdvfzrg51kqd2181fvw5socialvk97f2j52ns1qbdvfzrg51kqd2181fvw5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📕 Clawdis

Comments