← Back to Skills Marketplace
264
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install xhs-surfer
Description
小红书智能浏览器自动化工具,AI驱动的社区冲浪和互动。 支持自动搜索、浏览、点赞、评论、关注等操作。 当用户要求浏览小红书、搜索内容、自动互动时触发。
Usage Guidance
This skill automates account actions (likes, comments, follows) and can read local cookies files and private messages — anything that gives it your cookies, credentials, or API keys can be used to act as your account. Before installing or running it: 1) Review the xhs-surfer PyPI package and its GitHub repo source code yourself to ensure it does what it claims. 2) Do not supply real account cookies/credentials or primary API keys to an untrusted package; prefer a throwaway/test account when experimenting. 3) Be cautious about providing LLM API keys — the SKILL.md references OPENAI/QWEN keys but they are not declared in metadata. 4) If you proceed, run the package in an isolated environment (VM/container) and limit network/proxy access; verify rate limits and safety settings to avoid account bans. 5) If you need the agent to act on private data (cookies, messages), accept that those items will be accessed — only proceed if you trust the package and have audited its code.
Capability Analysis
Type: OpenClaw Skill
Name: xhs-surfer
Version: 1.0.0
The xhs-surfer skill is a browser automation tool for Xiaohongshu that handles sensitive session cookies and requires external LLM API keys for automated interactions. While the functionality aligns with its stated purpose, the handling of authentication tokens and a discrepancy in the metadata—specifically a typo in the homepage URL (xhs_suffer vs xhs-surfer)—are indicators of potential risk or deceptive sourcing. The tool's high-privilege actions (automated social media engagement and credential management) warrant caution as they could be leveraged for account misuse if the underlying PyPI package is compromised.
Capability Assessment
Purpose & Capability
The name/description (XHS automation: search, browse, like, comment, follow) align with the instructions (Playwright-based browsing, actions like like/comment/follow, login via QR or cookies). Requesting python3 and recommending pip install xhs-surfer / playwright is consistent with building a browser automation skill. However, the skill also exposes features that access private content (check_messages) and instructs reading a cookies file — capabilities that are sensitive even if coherent with the purpose.
Instruction Scope
SKILL.md tells the agent to: pip install a package, run Playwright (which will download browser binaries), login via cookies_file (reads a local cookies.json), perform account actions (likes, comments, follows), and check private messages. It also references environment variables for LLM providers/keys (OPENAI_API_KEY, QWEN_API_KEY) that are not declared in the skill's top-level requirements. Instructions to read local cookie files and inspect DMs increase the sensitivity and risk surface and are not explicitly represented in the skill metadata.
Install Mechanism
There is no registry install spec, but SKILL.md instructs pip install xhs-surfer and running 'playwright install chromium'. Installing a third-party PyPI package and downloading Playwright browser binaries is a moderate install risk but expected for this functionality; the registry providing no automated install spec means the agent/user will perform the installation themselves. Verify the PyPI package source and repository before installing.
Credentials
The skill metadata declares no required env vars, yet SKILL.md shows expected environment variables (OPENCLAW_LLM_PROVIDER, OPENAI_API_KEY, LLM_PROVIDER, QWEN_API_KEY) and includes LLM configuration examples containing API keys. It also uses cookies files and proxy addresses (which imply reading local config). Requesting or using LLM API keys and local cookies is plausible for comment generation and session auth, but the skill does not declare these as required credentials — this mismatch reduces transparency and increases risk of accidental key/cookie exposure.
Persistence & Privilege
always is false and the skill is user-invocable only; it does not request permanent/all-agent inclusion and does not claim to modify other skills or global agent settings. No unusual persistence or privilege escalation is requested.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xhs-surfer - After installation, invoke the skill by name or use
/xhs-surfer - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
xhs-surfer v1.0.0 — 小红书智能自动冲浪和互动工具首发
- 首次发布:支持在小红书上自动搜索、浏览、点赞、评论、关注等一系列互动操作
- 提供自然语言控制(run)及结构化命令(execute)两种接口
- 灵活行为配置,包括浏览速度、互动概率、安全限制
- 支持登录、动态冲浪、实时指令和高级营销冲浪
- 完整API文档及多种使用示例
- 适配 Windows、macOS、Linux,兼容 OpenClaw Agent 和独立使用
Metadata
Frequently Asked Questions
What is Xhs Surfer?
小红书智能浏览器自动化工具,AI驱动的社区冲浪和互动。 支持自动搜索、浏览、点赞、评论、关注等操作。 当用户要求浏览小红书、搜索内容、自动互动时触发。 It is an AI Agent Skill for Claude Code / OpenClaw, with 264 downloads so far.
How do I install Xhs Surfer?
Run "/install xhs-surfer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Xhs Surfer free?
Yes, Xhs Surfer is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Xhs Surfer support?
Xhs Surfer is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux, win32).
Who created Xhs Surfer?
It is built and maintained by Jingliu (@xjlgod); the current version is v1.0.0.
More Skills