小红书商业洞察与竞品分析助手
v1.0.1小红书运营全链路数据工具|关键词监控+爆款挖掘+竞品分析+KOL筛选+趋势洞察,用数据驱动小红书流量增长,告别盲目创作
⭐ 0· 115·0 current·0 all-time
by@um-why
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (小红书数据挖掘 / 竞品分析 / KOL筛选) matches the implemented behavior. The skill requires Node.js and a GUAIKEI_API_TOKEN and its code calls a third‑party data API to perform searches and detail lookups — this is consistent with the stated purpose. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md says the tool uses a third‑party API and asks for GUAIKEI_API_TOKEN; the runtime actually sends the token and user-supplied note URLs/keywords to https://www.guaikei.com endpoints. The scripts write local output and lock files (last-search.json, last-detail.json, .lock_*). The instructions do not read arbitrary system files or other env vars, but they do transmit the token and query URLs to an external service — SKILL.md mentions a third‑party API but does not name the domain. Users should be aware that provided tokens and query URLs are sent to guaikei.com.
Install Mechanism
No install spec / remote downloads. The skill is instruction + local Node.js scripts included in the bundle. No external installers or archive extraction, so installation risk is low.
Credentials
Only one environment variable is required: GUAIKEI_API_TOKEN, which is appropriate for a third‑party API. The code falls back to a hardcoded default token ('e10adc3949ba59abbe56e057f20f883e') when a valid token is not provided — that value appears to be a known weak/default value. The token (whether user‑supplied or default) is transmitted to the external API; ensure you trust the API operator before supplying a private token.
Persistence & Privilege
The skill does not request permanent always‑on inclusion. It writes output and temporary lock files in its own script directory only and does not modify other skills or global agent configuration.
Assessment
This skill appears to do what it claims, but it relies on a third‑party service (www.guaikei.com). Before installing or supplying a private GUAIKEI_API_TOKEN: 1) Verify the third‑party service (guaikei.com) is reputable and that you accept their privacy/terms — the skill will send your token and any note URLs/keywords to that service. 2) Avoid using the hardcoded default token for production data (it is a weak/default value). 3) If you want to limit exposure, run the skill in a sandbox or isolated environment and inspect network traffic to confirm behavior. 4) Inspect the referenced upstream repo (package.json.homepage) if you want the original source history. 5) Be aware the skill writes result files (last-search.json, last-detail.json) in the skill directory — delete or secure them if they contain sensitive query context.Like a lobster shell, security has layers — review code before you run it.
chinesevk9706w9aw6s6a9gwsr5k7xddr184vjtacrawlervk9706w9aw6s6a9gwsr5k7xddr184vjtadata-miningvk9706w9aw6s6a9gwsr5k7xddr184vjtalatestvk9706w9aw6s6a9gwsr5k7xddr184vjtasearchvk9706w9aw6s6a9gwsr5k7xddr184vjtasocialvk97a8t4sv9cnbzqv78nfc2h9jn84fhwjsocial-mediavk9706w9aw6s6a9gwsr5k7xddr184vjtaxiaohongshuvk9706w9aw6s6a9gwsr5k7xddr184vjta
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode
EnvGUAIKEI_API_TOKEN