ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

xiaohongshu-research-kit

v1.0.0

Extract and analyze Xiaohongshu (Little Red Book) content using yt-dlp and gallery-dl. Supports note metadata, image/video extraction, user profile analysis,...

0· 68·0 current·0 all-time
by江辰@xuya227939
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim to extract Xiaohongshu content and the SKILL.md consistently instructs use of yt-dlp and gallery-dl to do exactly that. No unrelated environment variables, binaries, or install steps are required. The clawhub.json metadata (homepage/support_url) is consistent with a research/extraction toolkit.
Instruction Scope
Instructions stay on-topic (identify URL type, choose yt-dlp for video notes, gallery-dl for image notes, parse JSON). The only notable scope matter: the instructions rely on --cookies-from-browser to access authenticated content, which requires the tools to read browser cookies. The SKILL.md does not instruct any broad file-system reads or sending data to unexpected endpoints, aside from referencing snapvee.com for download guidance.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk distribution. Prerequisites are typical (yt-dlp, gallery-dl) and the doc shows how to install them via brew/pip; there are no remote archive downloads or custom installers in the skill bundle.
Credentials
The skill does not request environment variables or credentials in the bundle, which is proportionate. However, its recommended workflow depends on extracting browser cookies (via --cookies-from-browser), which gives the extracting tool access to session/authentication data. That is necessary for the stated purpose but is sensitive — users should understand the implications before running those commands in shared or untrusted environments.
Persistence & Privilege
The skill does not request elevated persistence (always is false), does not modify other skills or system-wide settings, and contains no install-time hooks. Autonomous invocation is allowed (platform default) but is not combined with other red flags here.
Assessment
This skill appears to do what it claims: it guides using local yt-dlp and gallery-dl to extract Xiaohongshu notes and profiles. Before using it, ensure you: (1) run yt-dlp/gallery-dl locally from trusted installs (brew/pip) rather than executing untrusted bundles; (2) avoid pasting raw browser cookie strings into chats — prefer letting yt-dlp/gallery-dl read cookies locally (and only on a machine you control); (3) be aware that cookie access can expose authenticated session tokens, so do not run these commands on shared CI or untrusted hosts; (4) respect Xiaohongshu's terms of service and copyright when downloading or storing media. If you need stronger assurance, ask the publisher for the project repository code to audit or run the commands in an isolated VM/container.

Like a lobster shell, security has layers — review code before you run it.

latestvk979cj2sknx70c4fpd4059yekx83hznc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments