小红书竞品监控助手

小红书竞品监控 - 自动采集竞品笔记，推送飞书通知，写入数据看板

What to check before installing/running: - Dependencies: The metadata only mentions puppeteer-core, but the code uses puppeteer-extra and puppeteer-extra-plugin-stealth. Make sure package.json lists all needed packages or run npm install for the additional modules before running. - Environment vars: Set CHROMIUM_PATH (path to Chrome/Chromium) and XHS_DATA_DIR as instructed. The skill's declared requirements do not list these, so you must provide them manually. - Remote debugging risk: run.sh and instructions start Chrome with --remote-debugging-port. If that port is reachable from other machines, the browser can be remotely controlled. Only launch remote debugging on a trusted, firewalled host (bind to localhost or block the port externally). - Persistent session data: the skill stores browser user-data and history.csv in the data directory. Do not run this on a machine containing sensitive accounts unless you accept stored session artifacts. Do not commit config.js or data/ to a public repo. - Feishu (Lark) / Bitable: notify.example.js shows where you would put tokens. Only copy secrets into notify.js after auditing it. If you add app tokens, the skill will send data externally — review and limit what is sent. - Run in isolation: consider running in a dedicated environment (VM/container) to reduce risk of browser remote-control or accidental data leakage. - Safety improvements: ask the author for a complete package.json, explicit list of required env vars in metadata, and a note about binding remote-debugging to localhost. If you cannot get that, treat the skill as requiring manual vetting before use. Overall: the project appears to do what it says, but the metadata/documentation mismatches and the operational choices (remote debugging, persistent sessions, incomplete declared dependencies) are reasons to review and harden it before deploying on a sensitive host.

Type: OpenClaw Skill Name: xhs-monitor Version: 1.0.1 The skill bundle implements a Xiaohongshu (Red) scraper using Puppeteer with several high-risk configurations, including disabling the browser sandbox ('--no-sandbox') and managing persistent user sessions via 'userDataDir' (found in daemon.js and scraper.js). It utilizes shell scripts (run.sh) and a custom scheduler (scheduler.js) to execute node processes and manage browser instances via remote debugging ports (9223). While these capabilities are plausibly required for the stated purpose of automated competitor monitoring and session persistence, the use of insecure browser flags and broad file system access for session data constitutes a significant security risk without further isolation.