← Back to Skills Marketplace

xhs-auto-content-by-hot

Name: xhs-auto-content-by-hot
Author: 18923236683

by 18923236683 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

308

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install xhs-auto-content-by-hot

Description

自动获取百度热搜话题，生成小红书文案并调用Seedream-4.5生成封面及配图，输出完整内容包。

Usage Guidance

This skill appears to implement the advertised workflow, but it asks you to paste your Seedream/ByteDance API key directly into scripts/generate.py — do NOT store secrets in source. Before installing or running: (1) inspect and, if needed, modify generate.py so it reads the API key from an environment variable or a protected config file instead of embedding it; (2) verify the Seedream API endpoint (ark.cn-beijing.volces.com) is the legitimate service you expect; (3) run the script in an isolated environment (container or VM) because it writes files under /root/.openclaw/workspace and makes outbound HTTP requests; (4) remove or ask the author to explain the unicode control characters in SKILL.md; (5) ensure Python and the requests package are present and consider reviewing/downloaded image URLs before following them. If you cannot confirm the endpoint or the control-characters explanation, treat this skill as risky and avoid providing high-privilege or reusable secrets.

Capability Analysis

Type: OpenClaw Skill Name: xhs-auto-content-by-hot Version: 1.0.0 The skill instructs the AI agent in SKILL.md to solicit a sensitive API key from the user and programmatically write it into the 'scripts/generate.py' source file. This is a highly insecure practice that leads to hardcoded credentials and creates a significant risk of Remote Code Execution (RCE) if the agent fails to sanitize the user-provided input before modifying the Python script. While the script's logic for fetching Baidu trends and calling the Volcengine API (ark.cn-beijing.volces.com) appears legitimate, the automated code-modification pattern is a major security flaw.

Capability Assessment

ℹ Purpose & Capability

The code and instructions match the stated purpose: fetching Baidu hot topics, generating Xiaohongshu copy, and calling a Seedream (火山引擎) image-generation endpoint. However, the SKILL.md does not declare the API key requirement as an environment variable or credential even though the script requires an API_KEY; instead it instructs the user to write the key into scripts/generate.py. That mismatch and the recommendation to embed a secret in source is disproportionate and unusual.

⚠ Instruction Scope

SKILL.md directs the agent/user to ask for the ByteDance/Seedream API key and store it inside generate.py. That expands scope to collecting and persisting a sensitive secret into code. The script performs network requests (to Baidu and the Volcengine endpoint) and writes files into /root/.openclaw/workspace by default; these actions are coherent with the feature but the instructions enable secret persistence in code and assume write access to /root, which is risky and not least-privilege.

✓ Install Mechanism

No install spec (instruction-only + included script). Nothing is downloaded at install time and no external archive or unknown URLs are used by the installer. Execution requires Python and the requests library (not declared), which is a modest expectation.

⚠ Credentials

The skill requires a Seedream/ByteDance API key to function, but this is not declared in requires.env or primary credential fields; instead the SKILL.md instructs the user to paste the API key into the script. Asking to store a secret in source is disproportionate and dangerous. The script otherwise requests network access to Baidu and the Volcengine API only (no unrelated cloud creds), so the scope of credentials is small but handled insecurely.

✓ Persistence & Privilege

always:false and user-invocable:true (defaults) — no elevated persistent privilege requested. The skill writes output files to a workspace directory (default /root/.openclaw/workspace) and stores generated artifacts, which is expected behavior for a content generation tool and does not modify other skills or system-wide settings.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install xhs-auto-content-by-hot
After installation, invoke the skill by name or use /xhs-auto-content-by-hot
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

小红书根据百度热搜自动生成图文

Metadata

Slug xhs-auto-content-by-hot

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is xhs-auto-content-by-hot?

自动获取百度热搜话题，生成小红书文案并调用Seedream-4.5生成封面及配图，输出完整内容包。 It is an AI Agent Skill for Claude Code / OpenClaw, with 308 downloads so far.

How do I install xhs-auto-content-by-hot?

Run "/install xhs-auto-content-by-hot" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is xhs-auto-content-by-hot free?

Yes, xhs-auto-content-by-hot is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does xhs-auto-content-by-hot support?

xhs-auto-content-by-hot is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created xhs-auto-content-by-hot?

It is built and maintained by 18923236683 (@18923236683); the current version is v1.0.0.

More Skills