← Back to Skills Marketplace

post-to-xhs

Name: post-to-xhs
Author: luweizheng

by Weizheng Lu · GitHub ↗ · v1.0.1

cross-platform ⚠ suspicious

536

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install post2xhs

Description

小红书内容发布与管理助手。当用户要求登录、发小红书、搜索小红书、评论点赞收藏等任何小红书相关操作时使用。

Usage Guidance

This skill is coherent for automating Xiaohongshu actions, but it delegates work to a third‑party Python package (xhs-mcp-py) and Playwright/Chromium which you must install. Before installing/running: 1) review the xhs-mcp-py package source (PyPI project, repo) to ensure you trust it; 2) run it in an isolated environment (VM/container) if you are unsure; 3) be aware the tool will save login cookies and print tokens (xsec_token) — treat those as sensitive credentials; 4) do not run this on systems holding other secrets or high privileges without review; 5) install zbar/ImageMagick only if needed and from official OS packages. If you want a higher assurance, ask the skill author for a code repository link or a signed release before installing.

Capability Analysis

Type: OpenClaw Skill Name: post2xhs Version: 1.0.1 The skill bundle is classified as suspicious due to its reliance on executing external binaries (`xhs-mcp`) with user-controlled input and handling user-provided file paths for publishing content, as detailed in `SKILL.md`. These actions introduce potential vulnerabilities such as shell injection or path traversal if the underlying `xhs-mcp-py` tool or its dependencies (like `convert` from ImageMagick, which has a history of vulnerabilities) do not adequately sanitize or validate inputs. While the stated purpose of Xiaohongshu content management appears benign, the inherent risks associated with these capabilities without clear evidence of robust input sanitization warrant a 'suspicious' classification, rather than 'malicious' as there is no proof of intentional harmful behavior or prompt injection against the agent.

Capability Assessment

✓ Purpose & Capability

The name/description (posting and managing Xiaohongshu content) match the instructions: installing a Python CLI (xhs-mcp-py), using Playwright/Chromium for browser-based login/automation, and providing commands for publish/search/like/comment. The required binary 'convert' (ImageMagick) is plausible for image processing.

ℹ Instruction Scope

SKILL.md stays focused on Xiaohongshu workflows (login, publish, search, interact). It instructs installing/playwright and running xhs-mcp commands that read image/video files supplied by the user and persist cookies locally. Note: the tool prints/returns tokens (xsec_token) and stores cookies (7–30 days), which are necessary for the described actions but are sensitive local artifacts.

ℹ Install Mechanism

The skill itself has no install spec, but the instructions require installing a third‑party Python package (pip install xhs-mcp-py) and Playwright browsers. These are reasonable for a CLI that automates a web UI, but they mean arbitrary code will be downloaded and executed from PyPI and Playwright's distribution — users should vet that package/source before installing.

✓ Credentials

The skill declares no environment variables or credential requirements. The runtime behavior relies on interactive login (QR code, browser) and local cookie storage; sensitive data (cookies, xsec_token) are produced by normal operations and are proportionate to the skill's purpose.

✓ Persistence & Privilege

always is false and the skill is user-invocable. The documented persistence is limited to the tool's local cookie files (login lifetime ~7–30 days). The skill does not request elevated system-wide privileges or modification of other skills' configs.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install post2xhs
After installation, invoke the skill by name or use /post2xhs
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.1

Version 1.0.1 - 登录流程与命令行参数文档全面优化，登陆流程明确分为终端二维码、浏览器扫码、二维码图片三种方式，并注明 fallback 逻辑。 - 所有小红书操作指令重新梳理，对参数的必需性、可多次指定等用法做了精确说明。 - 命令提示、示例与参数表标准化，便于直接用命令行操作，无需阅读源码。 - 统一文档风格、减少重复，突出登录/搜索/发布/互动等操作流程，显著提升易读性和新手指引友好度。 - 新增对 headless 参数说明，便于“有头/无头”自动化切换。

v1.0.0

Initial release of post-to-xhs: 小红书内容发布与管理助手 - 登录 - 发布图文、视频、文字 - 评论、点赞

Metadata

Slug post2xhs

Version 1.0.1

License —

All-time Installs 0

Active Installs 0

Total Versions 2

Frequently Asked Questions

What is post-to-xhs?

小红书内容发布与管理助手。当用户要求登录、发小红书、搜索小红书、评论点赞收藏等任何小红书相关操作时使用。 It is an AI Agent Skill for Claude Code / OpenClaw, with 536 downloads so far.

How do I install post-to-xhs?

Run "/install post2xhs" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is post-to-xhs free?

Yes, post-to-xhs is completely free (open-source). You can download, install and use it at no cost.

Which platforms does post-to-xhs support?

post-to-xhs is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created post-to-xhs?

It is built and maintained by Weizheng Lu (@luweizheng); the current version is v1.0.1.

More Skills