小红书数据洞察大师 - 爆款挖掘与竞品分析专家
PassAudited by ClawScan on May 16, 2026.
Overview
The skill appears to do what it claims, but it relies on a third-party Guaikei API token, sends requested Xiaohongshu queries/URLs to that API, and saves result logs locally.
Before installing, confirm you trust the Guaikei/developer API service, use a dedicated API token, and remember that your Xiaohongshu search keywords, note URLs, and retrieved results may be sent to the provider and stored locally under logs.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You have less registry-level assurance about the publisher and original source of the skill.
The registry metadata does not provide a verified source or homepage, although the included package files are visible and no remote install script is present.
Source: unknown; Homepage: none
Install only if you trust the publisher, and compare the package contents with the repository claimed in package.json if provenance matters.
Anyone with access to the token may be able to use the associated Guaikei API service, and the provider receives authenticated requests.
The provider API token is sent with search API requests. This is expected for the service, but it is still a credential used outside the local machine.
postJson("/api/xiaohongshu/note-search/keyword", { _: Date.now(), token: token }, { keyword, type, sort, limit })Use a dedicated, revocable token if available and avoid sharing the token in logs, screenshots, or prompts.
The third-party API provider can see the Xiaohongshu URLs and search/detail requests you submit.
User-provided Xiaohongshu note URLs are posted to the external detail API endpoint for processing. This is purpose-aligned, but it means those URLs leave the local environment.
postJson("/api/xiaohongshu/detail/url", { _: Date.now(), token: token }, { url: url })Only submit URLs and keywords you are comfortable sending to the provider, especially if they reveal sensitive business research or private campaign plans.
Search terms, note URLs, and returned Xiaohongshu data may remain on disk after the command finishes.
The logging helper saves task outputs under a local logs directory. The CLI files pass completed search/detail result JSON into this helper.
path.join(path.dirname(__filename), "..", "..", "logs", safeFilename); ... await fs.promises.writeFile(outputFilename, content);
Review and delete the logs directory when results are no longer needed, and avoid running sensitive research queries if local retention is undesirable.