Xiaohongshu Collector
v1.0.0Work on Xiaohongshu post/comment collection, cookie handling, refresh flows, and browser plugin integration in the forbidden_company repo.
⭐ 0· 65·1 current·1 all-time
byJack.L.P@pengluday
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (Xiaohongshu post/comment collection, cookie handling, refresh flows, browser plugin integration) matches the actions described in SKILL.md and references the repo scripts and endpoints that would be needed. All declared capabilities are coherent with the stated purpose.
Instruction Scope
The runtime instructions are narrow and repository-focused: run existing scripts, wire the browser plugin to local endpoints, and read a saved cookie file for auth. These are within scope for the stated task. The skill explicitly warns not to echo cookies in final outputs. The only noteworthy point is that SKILL.md instructs reading data/xiaohongshu-cookie.txt (a sensitive local artifact), so a human should confirm this file access is acceptable.
Install Mechanism
Instruction-only skill with no install spec and no code files executed by the skill itself. This minimizes installation risk because nothing new is downloaded or written to disk by the skill bundle.
Credentials
The skill does not request environment variables or credentials, which is appropriate. However SKILL.md tells the agent to read a local cookie file (data/xiaohongshu-cookie.txt) even though the registry metadata lists no required config paths; this metadata mismatch should be confirmed. Reading a local cookie is relevant to the task but is sensitive and should be audited.
Persistence & Privilege
The skill is not always-enabled, does not request elevated persistence, and does not modify other skills or global agent settings. Autonomous invocation is allowed (platform default) but not accompanied by other red flags.
Assessment
This skill is internally coherent for developing/operating Xiaohongshu collection in a local repo, but take these precautions before installing or invoking it: 1) Confirm the skill will run inside a trusted local copy of the 'forbidden_company' repo and review the referenced scripts (scripts/collect_xiaohongshu.py, scripts/admin_server.py, run_xiaohongshu_collection.sh and the browser-extension folder) for any network exfiltration or unexpected behavior. 2) Be aware SKILL.md instructs reading data/xiaohongshu-cookie.txt — treat that file as sensitive (do not paste its contents into chat) and verify who/what has access. 3) The package metadata did not declare that config path; verify that mismatch (it may be an oversight). 4) Ensure whatever collection you run complies with the target site's terms of service and applicable law (the skill's safety notes discourage shared-server mass scraping — prefer local, user-driven flows). 5) If you want stronger assurance, ask the publisher for the repo source or a code review of the referenced scripts before enabling autonomous invocation.Like a lobster shell, security has layers — review code before you run it.
latestvk97cgxbwddz577ns6xcd25ppy584c1sz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.