v1.0.0

小红书全栈采集专家

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:00 AM.

Analysis

This skill is a disclosed Xiaohongshu data-collection assistant, but it is designed for automated scraping, account-based checks, scheduled tracking, and Feishu export in ways users should review carefully before installing.

GuidanceBefore installing, confirm that Xiaohongshu scraping is permitted for your use case, avoid using important personal accounts, keep collection volumes low, require approval for bulk or scheduled tasks, and configure Feishu credentials and table permissions narrowly.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

README.md

技能依赖延时器避免触发风控... 操作上限：每小时搜索≤20个，深度采集≤20条

The skill explicitly frames delays as a way to avoid platform risk controls while performing automated collection, which is a material browser-automation and scraping risk even though the activity is disclosed.

User impactUsing this skill could cause a Xiaohongshu account to be rate-limited, challenged, or sanctioned, and could collect more platform content than the user intended.

RecommendationUse only where collection is allowed, keep quantities low, require explicit approval before bulk/deep scraping, and avoid using personal or important accounts for automated scraping.

Rogue Agents

SeverityLowConfidenceHighStatusNote

å°çº¢ä¹¦å¨æ ä¸å®¶.md

支持设置定时任务，长期跟踪特定关键词和博主类型的内容更新

The skill intentionally supports persistent scheduled tracking. This is disclosed and user-directed, but recurring automation should be bounded.

User impactA scheduled task could continue collecting and exporting data after the initial request if not configured carefully.

RecommendationSet clear schedules, limits, destinations, and expiration dates for Cron tasks, and review or disable them when no longer needed.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

å°çº¢ä¹¦å¨æ ä¸å®¶.md

延时器位置：`/Users/sue/.openclaw/workspace/scripts/search_delay.py` ... from search_delay import random_sleep

The documentation references an external local helper script and a user-specific absolute path, but that helper is not included in the reviewed artifacts.

User impactIf a user follows these instructions, the behavior of the delay helper depends on local code that was not reviewed as part of this skill.

RecommendationOnly use a delay helper you have inspected, avoid hardcoded user-specific paths, and document any required helper files in the skill package.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceMediumStatusConcern

å°çº¢ä¹¦å¨æ ä¸å®¶.md

账号风险自检（执行前检查）... 新账号：注册<7天 ... 未实名：无手机绑定 ... 违规记录：有历史违规

The skill assumes checking Xiaohongshu account state before scraping, while the supplied registry metadata declares no primary credential or required configuration; that makes account/session use under-scoped for a user installing the skill.

User impactThe agent may operate through or inspect a Xiaohongshu account/session, which can expose account status and put that account at risk during automated collection.

RecommendationClarify exactly which account/session is used, what account details are read, and require user confirmation before any authenticated browsing or account-risk checks.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

飞书Bitable
首次使用需配置Bitable应用获取 app_token 和 table_id

The skill supports exporting collected Xiaohongshu note and creator data to Feishu Bitable using app tokens and table IDs, which is purpose-aligned but sends collected data to an external workspace.

User impactCollected creator profiles, comments, links, and engagement data may be stored in Feishu where workspace permissions determine who can access it.

RecommendationUse least-privilege Feishu app credentials, verify the destination table, and avoid exporting private or sensitive data unless permitted.