← Back to Skills Marketplace
人群宇宙投放追踪周报
by
peike-boop
· GitHub ↗
· v1.1.0
· MIT-0
71
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install xhs-universe-weekly
Description
人群宇宙投放追踪周报自动生成工具。支持任意行业(家清、美妆、母婴、食品等),只需提供 RedBI 看板地址和行业人群包名称,自动拉取数据、对比人群宇宙 vs 整体种草效果、按三类逻辑分层客户优先级(未投放/效果好投入少/数据不及整体),生成可视化 HTML 周报和 Redoc 在线文档。触发词:人群宇宙周报、人群...
Usage Guidance
This appears to be an internal reporting tool that legitimately needs access to your company's RedBI data, so its behavior (reading an SSO cookie, calling internal APIs, downloading CSVs and images, generating HTML and publishing Redoc) makes sense — but there are important transparency gaps: the skill metadata does not declare the SSO credential or the dependency on another skill's run-sso.sh helper, nor does it list required runtime tools (bunx, @xhs/hi-workspace-cli, Python libs). Before installing or enabling: 1) Confirm you trust the skill author and that this will run only in a controlled internal environment. 2) Verify the presence and safety of /home/node/.token/sso_token.json and /app/skills/data-fe-common-sso/script/run-sso.sh (audit those files). 3) Ensure required runtimes (bunx, Python packages) are available and that publishing to Redoc uses internal endpoints only. 4) Be aware the skill will start a local HTTP preview (pod_ip:18765) — confirm that serving this port is allowed and not exposed to public network. If you need higher assurance, ask the maintainer to update metadata to declare required config paths/credentials and dependency tools or to provide a reviewed install manifest.
Capability Analysis
Type: OpenClaw Skill
Name: xhs-universe-weekly
Version: 1.1.0
The skill bundle automates internal business reporting for Xiaohongshu (XHS) employees, requiring high-risk capabilities such as reading SSO tokens from the filesystem (`/home/node/.token/sso_token.json`), executing shell scripts (`fetch_data.sh`), and starting a local HTTP server for report previews. While these actions are aligned with the stated purpose of fetching data from internal BI tools (`redbi.devops.xiaohongshu.com`) and publishing to internal documentation platforms (`docs.xiaohongshu.com`), the use of sensitive credentials and shell execution meets the criteria for a 'suspicious' classification despite the lack of clear malicious intent.
Capability Assessment
Purpose & Capability
The skill claims to pull RedBI data and produce HTML + Redoc reports; the provided scripts and SKILL.md show exactly that (downloading CSVs, classifying clients, generating HTML, publishing via hi-workspace-cli). Access to RedBI and note images via SSO is coherent with the stated purpose. However, the skill metadata declares no required credentials or config paths while the instructions and scripts clearly read an SSO cookie file and call another skill's run-sso.sh helper — this mismatch should have been declared.
Instruction Scope
Runtime instructions and scripts read /home/node/.token/sso_token.json to obtain an SSO cookie, call internal endpoints (redbi.devops.xiaohongshu.com and xiaohongshu.com) and download CSVs/images, start a local HTTP preview, and call bunx/@xhs/hi-workspace-cli to publish Redoc. These actions are within the feature scope, but they access sensitive local credential files and another skill's script path (/app/skills/data-fe-common-sso/script/run-sso.sh) that are not listed in the skill metadata — an important scope/visibility gap.
Install Mechanism
No install spec (instruction-only plus included scripts). That lowers install risk — nothing is downloaded/installed by the registry metadata. Note: SKILL.md expects tools (bunx, bunx package @xhs/hi-workspace-cli) and Python packages (pandas, openpyxl) to exist at runtime but doesn't declare them.
Credentials
The metadata lists no required environment variables or config paths, yet the code reads a local SSO token file (/home/node/.token/sso_token.json) and relies on another skill's run-sso.sh helper at /app/skills/data-fe-common-sso/script/run-sso.sh. The SSO cookie is effectively a credential used to access internal data; not declaring it (or the dependency on the other skill) is a proportionality/visibility problem.
Persistence & Privilege
always is false and the skill does not request persistent/enforced inclusion. The skill reads local files and writes temporary CSVs and cached base64 images to /tmp paths; it does not modify other skills' configuration. Starting a local HTTP server to serve a preview is normal for this use-case but means the agent will expose a pod IP/port — users should consider network exposure policies.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xhs-universe-weekly - After installation, invoke the skill by name or use
/xhs-universe-weekly - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
优化取数规范:环比自算、第二节卡片精简、客户渗透率定义、笔记去重
Metadata
Frequently Asked Questions
What is 人群宇宙投放追踪周报?
人群宇宙投放追踪周报自动生成工具。支持任意行业(家清、美妆、母婴、食品等),只需提供 RedBI 看板地址和行业人群包名称,自动拉取数据、对比人群宇宙 vs 整体种草效果、按三类逻辑分层客户优先级(未投放/效果好投入少/数据不及整体),生成可视化 HTML 周报和 Redoc 在线文档。触发词:人群宇宙周报、人群... It is an AI Agent Skill for Claude Code / OpenClaw, with 71 downloads so far.
How do I install 人群宇宙投放追踪周报?
Run "/install xhs-universe-weekly" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 人群宇宙投放追踪周报 free?
Yes, 人群宇宙投放追踪周报 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 人群宇宙投放追踪周报 support?
人群宇宙投放追踪周报 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 人群宇宙投放追踪周报?
It is built and maintained by peike-boop (@peike-boop); the current version is v1.1.0.
More Skills