Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Xiaohongshu Auto Skill
v1.0.0小红书全平台 AI 自动化运营工具包。涵盖账号定位、竞品分析、热点选题、AI 内容生成(标题/正文/标签)、 封面设计、图文/视频发布、评论互动管理、数据采集与复盘报告的全生命周期管理。 当用户提到小红书运营、种草笔记、笔记创作、小红书发布、账号定位、竞品分析、爆款拆解、 小红书数据分析、种草文案、小红书封面设计...
⭐ 0· 32·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Xiaohongshu automation: content generation, crawling, publishing, reporting) align with the included scripts (content_generator.py, crawler.py, publish.py, report_builder.py, xhs_client.py) and templates. However, references/xhs-api.md explicitly documents cookie-based auth and techniques (Playwright/browser automation, reverse-engineered signatures) to bypass API protections; those capabilities are more powerful and potentially problematic than a simple 'post helper' and should be justified. The skill also reads/writes local account config (accounts.json) despite declaring no required env vars or config paths.
Instruction Scope
SKILL.md directs the agent to perform broad activities: web crawling, competitor scraping, scheduled publishing, multi-account management, and using other skills (Web Search, Image Generation). It also contains a strong automatic-use rule: 'use this skill whenever social content is mentioned, even if Xiaohongshu not named' — this grants the skill very broad invocation surface. The docs reference methods to obtain/rotate cookies and to use browser automation to bypass X-s signatures, which increases scope beyond benign content drafting.
Install Mechanism
No install spec in registry (instruction-only), but a requirements.txt lists substantial dependencies (playwright, aiohttp, pandas, etc.). The absence of an install step means the runtime must already provide those libs; if someone attempts to pip-install from the repo, Playwright will install browsers (nontrivial). No remote download URLs or extracted archives were found, so install risk is moderate but nontrivial due to heavy deps and browser automation.
Credentials
The skill declares no required env vars but the code and docs rely on cookie-based authentication (Cookie: a1, web_session, webId) and persist account credentials to ~/.xhs-auto-skill/accounts.json. That local persistence and the ability to store account cookies/user_agent is a credential-handling behavior that should have been declared. The skill can also manage multiple accounts, rotate cookies/UA, and suggests bypass techniques — capabilities that require sensitive secrets and are not explicitly requested/justified in the metadata.
Persistence & Privilege
publish.py writes account credentials and scheduled tasks into the user's home directory and provides run_scheduled_tasks() to execute pending posts. Combined with the SKILL.md instruction to prefer this skill for wide classes of social content and with autonomous invocation allowed, the skill could persist credentials and later post on saved accounts without explicit per-action consent. always:false mitigates forced inclusion, but the broad invocation rule plus local persistence increases risk.
Scan Findings in Context
[unicode-control-chars] unexpected: Hidden unicode control characters were detected in SKILL.md. These are commonly used for prompt-injection/obfuscation and are not expected for an operations guide. Inspect the SKILL.md for invisible characters that could alter agent parsing or prompts.
What to consider before installing
This skill bundles a full scraping/publishing toolset for Xiaohongshu and is internally coherent, but several red flags merit caution:
- Credential handling: publish.py stores cookies/user_agent in ~/.xhs-auto-skill/accounts.json. Do NOT supply cookies or credentials until you have audited xhs_client.py (not fully shown) and verified where credentials are sent/stored. Prefer using throwaway/test accounts first.
- Scraping and bypass guidance: references/xhs-api.md documents cookie auth and methods (Playwright, reverse-engineered signatures) to bypass platform protections. These techniques can violate platform terms and enable stealthy data access; confirm you’re comfortable with the legal/compliance implications.
- Persistence & autonomy: the skill can schedule and execute posts using saved accounts. Because SKILL.md instructs the agent to prefer this skill broadly, the agent may choose it often; if you want manual control, restrict invocation or inspect/modify the code to require explicit confirmation before publishing.
- Hidden characters: SKILL.md contains unicode-control-chars warnings — open the file in a text editor that shows invisible characters and remove/understand them before trusting prompts.
- Recommended actions before installing/using:
1. Read xhs_client.py and search for any external endpoints, hardcoded URLs, or obfuscated code. Verify network targets are legitimate Xiaohongshu endpoints and there is no unexpected exfiltration.
2. Run the code in an isolated environment/container and interact manually to confirm behavior. Do not provide real account cookies initially.
3. If you plan to use real accounts, rotate and revoke cookies after testing and avoid sharing primary credentials. Consider using platform official APIs or approved automation tools.
4. If you don’t want autonomous posting, modify publish.py/run_scheduled_tasks to require manual approval or remove scheduling functionality.
Given these findings, treat the skill as 'suspicious' until you (or a trusted developer) audits the networking/auth code and removes/disables any behaviors you do not want (automatic credential storage, signature-bypass automation, or broad auto-invocation rules).Like a lobster shell, security has layers — review code before you run it.
latestvk974xep9wsct44n60tdfk3h07h84gv9y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.