ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

小红书自动发布

v1.2.0

自动读取指定文件夹当日视频和标题,连接Chrome通过脚本将内容发布到小红书账号。

0· 110·0 current·0 all-time
by@weishuai34-bit

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for weishuai34-bit/xiaohongshu-publish-auto.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "小红书自动发布" (weishuai34-bit/xiaohongshu-publish-auto) from ClawHub.
Skill page: https://clawhub.ai/weishuai34-bit/xiaohongshu-publish-auto
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install xiaohongshu-publish-auto

ClawHub CLI

Package manager switcher

npx clawhub@latest install xiaohongshu-publish-auto
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements the stated purpose (read a local folder and drive Chrome to publish on 小红书 via Puppeteer). However the implementation is Mac-specific and uses a hardcoded path (/Users/today/Movies/小红书英语) rather than the user's HOME (~) declared in SKILL.md; skill.json mentions cookies and YouTube downloads even though the runtime code does not perform downloads. The metadata omits mention of required local commands (curl, open).
!
Instruction Scope
SKILL.md instructs to enable Chrome remote debugging and to place files in ~/Movies/..., which matches the high-level behavior, but the runtime script diverges: it uses a hardcoded user path (/Users/today), spawns local commands (curl and open) and saves screenshots to /tmp. The skill will control whatever Chrome profile is exposed to the remote debugging port (i.e., it will act as the logged-in user), which is a sensitive capability not emphasized in the docs.
!
Install Mechanism
There is no install spec even though the code requires Node.js modules (puppeteer). The manifest lists runtime: node but does not provide steps to install puppeteer or other npm deps. The script also expects system binaries (curl, open) and a Mac environment; these are not declared in requirements, which is an incoherence and operational risk.
!
Credentials
No environment variables or credentials are declared, which is consistent, but the skill depends on an already-authenticated Chrome session (it uses Chrome's cookies/profile via remote debugging). That gives the skill access to session cookies and any logged-in accounts in that profile. skill.json also mentions 'cookies' for YouTube downloads, which the code does not perform — an unexplained requirement.
Persistence & Privilege
The skill does not request always:true and does not modify other skill configurations. However enabling Chrome with --remote-debugging-port exposes the browser profile to external control while the port is open; the script starts Chrome with that flag (or connects if already running), so the effective privilege is broad during execution. This is a legitimate need for Puppeteer automation but is high-impact and should be limited to a dedicated browser profile.
What to consider before installing
This skill automates posting by controlling your Chrome browser via the remote debugging port — that means it will act as whatever Chrome profile is exposed (including using your logged-in accounts and cookies). Before installing: - Inspect and/or modify the code: change the hardcoded path /Users/today to a proper configurable path (e.g., process.env.HOME) or confirm it matches your environment. - Do not run this against your main Chrome profile. Start Chrome with a dedicated user-data-dir and only enable --remote-debugging-port for that profile, or run it in a throwaway profile. - Ensure Puppeteer and Node dependencies come from a trusted source; the package has no install spec for npm modules. - Be aware the script uses macOS-specific commands (open) and curl; it appears Mac-only. - Review the unexplained skill.json note about YouTube cookies — the runtime does not download videos, so confirm your workflow and privacy implications. - If you proceed, run in a controlled environment first, and avoid leaving the remote debugging port open after use.
skill.js:9
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973c63neckjnd7vy0xwdm258583xwra
110downloads
0stars
2versions
Updated 4w ago
v1.2.0
MIT-0
@weishuai34-bit
latest
Download

小红书自动发布

功能

读取 ~/Movies/小红书英语 的当天视频和标题文件,自动发布到小红书。

使用方式

  1. 下载 YouTube 视频 → 存 ~/Movies/小红书英语/视频月日带声.mp4
  2. 标题文件 → ~/Movies/小红书英语/标题月日.txt
  3. 说"发小红书"自动运行

标题文件格式

正文内容...

#话题1 #话题2 #话题3 #话题4

配置

  • 视频路径:~/Movies/小红书英语
  • 固定标题:一起学英语
  • 自动话题:从标题文件#开头的行读取

注意事项

  • 使用前先清空话题区(如果有残留话题)
  • Chrome 需要开启调试:--remote-debugging-port=9222

技术

  • Node.js + Puppeteer
  • 通过 CDP 连接 Chrome
  • 话题添加方式:ArrowDown + Enter

触发词

  • 发小红书
  • 发布小红书
  • 小红书自动发布

Comments

Loading comments...