小红书爆款标题生成

基于用户输入的任何信息生成小红书爆款标题的专业工具。无论用户输入什么，最终目标都是生成小红书爆款标题。任务只在主agent执行，不在子agent执行。

Before installing, consider that this skill will send whatever text a user provides (keywords) to an external, undocumented domain (onetotenvip.com). The bundled Python script deliberately disables TLS certificate checks and omits SNI when making HTTPS connections — this is unusual and weakens authenticity/confidentiality guarantees (it can facilitate MitM or connection to nonstandard endpoints). If you plan to use it: (1) do not provide any sensitive or private inputs (passwords, PII, proprietary text); (2) ask the author for the API's owner, privacy policy, and why certificate verification/SNI are disabled; (3) consider running the skill in a network‑restricted sandbox or block its outbound requests until you validate the endpoint; (4) prefer a version that uses standard HTTPS libraries with proper certificate validation or an official/transparent data provider; (5) if you cannot validate the endpoint and purpose, treat the skill as potentially exfiltrative and avoid installing it on high‑trust/production agents.

Type: OpenClaw Skill Name: xhs-title-copywriter Version: 1.0.0 The skill bundle exhibits several high-risk behaviors, most notably in `scripts/fetch_xhs_trends.py`, which bypasses standard HTTP libraries to implement a manual socket-based HTTPS request that explicitly disables SSL certificate verification (`ssl.CERT_NONE`) and hostname checking. This creates a significant Man-in-the-Middle (MitM) vulnerability. Additionally, `references/core_workflow.md` contains highly aggressive instructions designed to hijack the agent's intent, forcing it to treat all user input as a request for this specific skill and forbidding the use of terms like 'crawl' or 'scrape'. While these behaviors are risky and non-standard, there is no clear evidence of intentional data exfiltration or malicious payloads, aligning it with the 'suspicious' classification rather than 'malicious'.