xhs Agent
v0.1.3xhs 全流程助手,覆盖小红书内容策划、文案与标题生成、封面制作、笔记发布及日常运营管理。适用于写笔记、生成标题/封面、发布或保存草稿、站内搜索、评论互动(点赞/收藏/回复)等小红书相关任务。支持从内容创作到发布执行的一站式流程;封面 AI 生图可选配置 GEMINI_API_KEY、IMG_API_KEY 或...
⭐ 4· 1.1k·11 current·11 all-time
byLucas@yikailucas
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and SKILL.md both describe a browser-automation Xiaohongshu (小红书) publishing assistant (drafts, publish, replies, metrics). That purpose is coherent with the step-by-step publish flow and confirmation policy. However, the description mentions optional cover-generation API keys (GEMINI_API_KEY, IMG_API_KEY, HUNYUAN_API_KEY) while the skill metadata declares no required environment variables and SKILL.md contains no instructions about calling those image-generation services. This mismatch is unexplained and could be a missing integration or incomplete docs.
Instruction Scope
SKILL.md stays largely within scope: it requires using the official creator site, explicit SMS/CAPTCHA handling by the user, a strict publish confirmation policy, and stepwise publish/draft flows. It does allow actions beyond publishing (reply to comments/messages, check metrics) but only the publish action is gated by an explicit confirmation requirement. The doc does not instruct reading unrelated system files or environment variables. Consider whether replies or other write actions should also require explicit confirmation.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk or installed. That is the lowest-risk install mechanism and matches its described browser-automation role.
Credentials
Metadata shows no required environment variables, but the description mentions optional GEMINI_API_KEY / IMG_API_KEY / HUNYUAN_API_KEY for AI-generated covers. These keys are not declared in requires.env nor referenced in SKILL.md; it's unclear if the skill will ever ask for or use such keys. This is an unexplained discrepancy: if cover-generation features exist, they would legitimately need API keys — the skill should declare them and document when/how they'll be used. Also note the skill acts on the user's logged-in web session (browser cookies/SMS), which effectively grants it ability to post on the user's account; that is expected for this purpose but is a sensitive capability.
Persistence & Privilege
always:false and no installation hooks are set. The skill will act via the current browser session and can be invoked autonomously by the agent (the platform default). Autonomous invocation combined with publish capability increases blast radius, but SKILL.md requires explicit confirmation for publishes which mitigates that particular risk. The skill does not request persistent system-wide privileges or modify other skills.
What to consider before installing
This instruction-only skill appears to do what it claims (automate publishing on Xiaohongshu) but has a documentation inconsistency: the description mentions optional AI image API keys that are not declared or used in the runtime instructions. Before installing or enabling it, ask the skill author to clarify whether cover-generation calls will be made and, if so, which environment variables are required and how keys are stored/used. Be aware the skill operates through your browser login: it can create drafts, post, reply, and read dashboard info in that session. To reduce risk, test with draft-only mode first, avoid supplying API keys until you understand why they're needed, and ensure you will be prompted for final confirmation before any publish action. If you don't trust the author or can't get clarification, avoid installing or restrict usage to manual/draft workflows.Like a lobster shell, security has layers — review code before you run it.
latestvk9786pcdg5y7c680y7979gm7d9824ebc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.