小红书运营助手

The skill's files, instructions, and runtime requirements align with its stated purpose (fetching and decoding third‑party XHS aggregator data and scoring notes); nothing in the bundle requests unrelated credentials or escalated privileges, but it does call an external, non‑official backend you should trust before use.

This skill appears coherent and implements what it claims: it calls a third‑party API (qianhaistonepark.site) and uses the bundled Python script to XOR‑decrypt some returned fields. Before installing, confirm you trust that external domain (responses and traffic will go to it). Inspect or run scripts/tool.py locally if you want to verify the decryption logic (it contains a hardcoded salt 'sardinesinqianhai' used to derive the key). Do not send any sensitive credentials or private data through the skill; if you need strong guarantees, ask the author for the data retention/privacy policy or host your own trusted data source.