XHS Publisher
v1.0.0Publish notes (posts) to Xiaohongshu (小红书) via the Creator Platform using browser automation (CDP). Use when user asks to post/publish/发布 content on Xiaohong...
⭐ 0· 437·3 current·3 all-time
by@waao666
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the SKILL.md. The steps (open creator.xiaohongshu.com, upload cover image, fill title/body, click publish) and use of browser CDP (DOM.setFileInputFiles, Input.insertText, dispatchMouseEvent) are directly relevant to publishing notes. No unrelated services, binaries, or credentials are requested.
Instruction Scope
Instructions are specific to web UI automation and include actions that touch local filesystem paths (files for upload) and browser remote-debugging. They do not ask for unrelated system data, but they assume the agent can access image file paths and control a Chromium instance via CDP. The SKILL.md also suggests taking DOM snapshots and checking the UI for avatars—expected for this purpose.
Install Mechanism
No install spec or third-party downloads — instruction-only. This minimizes supply-chain risk; the skill will not write code to disk or fetch external archives as part of installation.
Credentials
The skill requires no environment variables or credentials, which is proportionate. However, it does implicitly require access to (a) a Chromium instance started with --remote-debugging-port and (b) local image files referenced by absolute paths. Ensure you only expose the intended files/paths and the debugging port to trusted components.
Persistence & Privilege
always is false. The skill does not request persistent/global privileges or modify other skills. It can be invoked autonomously (platform default), which is normal; combined with its lack of credential requests this is not a high privilege footprint.
Assessment
This skill appears to do exactly what it says: automate posting to Xiaohongshu via a browser CDP. Before installing or using it: (1) Confirm you are comfortable granting the agent access to the local Chromium instance (remote debugging port) and any image file paths you provide — this lets the agent read those files and control the browser. (2) Test with a throwaway or test account first so accidental posts don't hit your main account. (3) Verify every post before publishing (the skill automates clicks and coordinate-based interactions). (4) If your platform exposes a filesystem sandbox or file-picking API, prefer giving access only to specific images rather than unrestricted filesystem access. (5) If you need stronger assurance, ask the skill author for an implementation that uses an explicit file-pick flow or an API with scoped tokens so you can audit exactly which files and actions are used.Like a lobster shell, security has layers — review code before you run it.
latestvk978edet0kcmvpztdk5ze90nen82dkv4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.