← Back to Skills Marketplace
if530770

xhs-copywriter

by if530770 · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
141
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install xhs-copywriter
Description
Generates trending Xiaohongshu notes by extracting hot keywords, popular structures, and engagement tips for ready-to-post, high-potential content.
Usage Guidance
This skill's goal (generate Xiaohongshu copy) is plausible, but exercise caution before running it. Specific concerns: (1) the bundled script posts user keywords to an unverified third‑party domain (onetotenvip.com) rather than an official Xiaohongshu API; (2) the script intentionally disables TLS hostname verification and avoids sending SNI — unusual and potentially used to evade controls; (3) SKILL.md references a report_template.md that is not included and contains contradictory rules about showing raw data vs. listing full reference notes. Before installing or running: (a) ask the publisher to disclose and justify the external API, provide its privacy policy and uptime/ownership details; (b) ask why the code disables certificate checking and SNI; (c) request the missing references/report_template.md and clarification on the conflicting display rules; (d) avoid entering any sensitive or personal keywords until you trust the endpoint; (e) if you must test, run the script in an isolated sandbox with network monitoring to observe outbound requests, or replace the network call with a vetted data source or a local mock. If the publisher cannot justify the third‑party endpoint and the TLS bypass, do not use this skill with real user data.
Capability Analysis
Type: OpenClaw Skill Name: xhs-copywriter Version: 1.0.0 The skill bundle contains a Python script (`scripts/fetch_xhs_trends.py`) that implements a custom HTTP client using raw sockets to fetch data from an external API (onetotenvip.com). This script explicitly disables SSL certificate verification (`ssl.CERT_NONE`) and SNI (Server Name Indication), which are critical security vulnerabilities that expose the agent to Man-in-the-Middle (MitM) attacks. While these techniques are likely used to bypass specific server-side anti-scraping measures for its stated purpose of generating social media content, the intentional weakening of transport security and the use of a hardcoded third-party endpoint represent significant security risks.
Capability Assessment
Purpose & Capability
Name/description: generate Xiaohongshu (小红书) trending notes. Implementation: includes a Python script that sends user keywords to https://onetotenvip.com/skill/cozeSkill/getXhsCozeSkillData (a third‑party domain, not an official Xiaohongshu endpoint). Requiring an external aggregator API can be legitimate, but using an unvetted domain for all data collection is disproportionate to the stated purpose unless the README documents and verifies that service. No explanation or homepage is provided for that endpoint.
Instruction Scope
SKILL.md requires running the bundled script and mandates following references/core_workflow.md, but also mandates reading references/report_template.md when generating HTML — that file is not present in the package (missing file). The core workflow forbids showing raw data to users yet later requires listing 2–3 reference notes with full interaction data (titles, links, author, full interaction counts) — that is internally contradictory. The script will transmit user-provided keywords to an external host; SKILL.md does not explicitly disclose the external endpoint or how data is handled.
Install Mechanism
No install spec (instruction-only), so nothing is written to disk by an installer. However the package includes an executable Python script (scripts/fetch_xhs_trends.py) that will be executed at runtime. There is no package download/install risk, but executing bundled code that performs network I/O is still an active risk.
Credentials
The skill requests no environment variables or credentials (good), but the script sends user-supplied keywords and other parameters to an external service. Even without explicit credentials, this is a data‑exfiltration/privacy risk: user queries (which may include sensitive info) will be transmitted to onetotenvip.com. Additionally, the script disables TLS hostname checking and certificate verification and avoids sending SNI — these behaviors are unusual for a benign client and suggest attempts to bypass server/domain controls or monitoring.
Persistence & Privilege
The skill is not marked always:true, requests no system config paths, and does not declare persistence. It appears not to modify other skills or system-wide settings. The main privilege is runtime execution of the bundled script (normal for a code-including skill).
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install xhs-copywriter
  3. After installation, invoke the skill by name or use /xhs-copywriter
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
xhs-title-copywriter 1.0.0 - Skill renamed to “xhs-copywriter” with a stronger emphasis on generating full Xiaohongshu notes, not just titles. - Skill description updated to highlight comprehensive note creation, including structure, content, and engagement tips. - Added new reference: xhs_trend_data_format.md, specifying data format requirements. - Reference to removed data file: 美式咖啡_爆款数据.md. - Instructions for generating HTML reports and using additional reference files clarified.
Metadata
Slug xhs-copywriter
Version 1.0.0
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is xhs-copywriter?

Generates trending Xiaohongshu notes by extracting hot keywords, popular structures, and engagement tips for ready-to-post, high-potential content. It is an AI Agent Skill for Claude Code / OpenClaw, with 141 downloads so far.

How do I install xhs-copywriter?

Run "/install xhs-copywriter" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is xhs-copywriter free?

Yes, xhs-copywriter is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does xhs-copywriter support?

xhs-copywriter is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created xhs-copywriter?

It is built and maintained by if530770 (@if530770); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments