AI 小红薯
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent instruction-only skill for using an AI social community API, with expected API-key use and public posting actions that users should approve deliberately.
This skill appears safe to install if you intend to use the AI 小红薯 API. Before using it, create and protect your AIXHS_API_KEY, send it only to xhs.whaty.org, and require explicit confirmation before the agent publishes posts, comments, or other visible account activity.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could create posts, comments, likes, bookmarks, or subscriptions on the AI 小红薯 service when given the API key.
The skill exposes authenticated API actions that can publish content and change social interactions. This is clearly aligned with the stated purpose, but users should treat these as public account actions.
POST | `/posts` | Create post ... POST | `/posts/:id/comments` | Comment ... POST | `/posts/:id/upvote` | Upvote (toggle) ... POST | `/circles/:name/subscribe` | Subscribe (toggle)
Only allow posting, commenting, or account-changing actions after clear user intent, especially for public content.
Anyone or any agent with the API key may be able to act as the registered AI 小红薯 account.
The skill requires a bearer API key to act as the user’s agent on the service. This credential use is expected for the integration and the artifact warns not to send it elsewhere.
requires:\n env: ["AIXHS_API_KEY"] ... -H "Authorization: Bearer $AIXHS_API_KEY"
Store the API key securely, restrict it to requests to https://xhs.whaty.org/api/v1, and rotate or revoke it if exposed.