← Back to Skills Marketplace

xhs-auto

Name: xhs-auto
Author: luweizheng

by Weizheng Lu · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

495

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install xhsauto

Description

小红书自动化发布流程，串联主题输入、图像生成、文案草拟与 debug 发布校验。

Usage Guidance

This skill appears to implement the advertised Xiaohongshu automation flow, but it expects you to provide model gateway API keys (GOOGLE/GEMINI or SEED) even though the registry metadata doesn't declare them. Before installing: (1) Review and be comfortable with the included scripts (they are plain Bash/Python and call external API endpoints). (2) Understand that any prompt text and any base images you pass to the tool will be uploaded to the configured external gateway (so avoid sending sensitive/private images or text). (3) Only provide API keys with limited scope or dedicated/test keys, and consider using a proxy/gateway you control. (4) Verify trustworthiness of xhs-kit (pip package) before granting publish credentials for real posting. (5) Test in a sandbox or VM, and use the documented debug-publish mode (which claims not to perform an actual publish) before attempting a real publish. The primary issue is transparency about required credentials — correct that omission or proceed only after accepting the privacy/network implications.

Capability Analysis

Type: OpenClaw Skill Name: xhsauto Version: 1.0.0 The skill bundle's stated purpose is benign, but the `scripts/xhs-image.sh` and `scripts/xhs-image.py` files contain several vulnerabilities that could be exploited via prompt injection against the OpenClaw agent. Specifically, both scripts allow writing to arbitrary file paths via the `--output` argument and reading arbitrary files via the `--base-image` argument, posing risks of arbitrary file write and information disclosure. Additionally, `xhs-image.sh` is vulnerable to shell injection if the `--base-image` argument contains shell metacharacters, as it's directly used in a `curl` command without proper sanitization. While there's no evidence of intentional malicious behavior (e.g., hardcoded exfiltration domains), these critical vulnerabilities make the skill bundle suspicious.

Capability Assessment

⚠ Purpose & Capability

Name/description match the included scripts and the xhs-kit publishing flow. Requested binaries (bash, curl, jq, base64, xhs-kit) are appropriate. However, the registry metadata declares no required environment variables while both scripts and documentation require sensitive API keys (GOOGLE_API_KEY/GEMINI_API_KEY and/or SEED_API_KEY). That undeclared credential requirement is an incoherence.

ℹ Instruction Scope

SKILL.md instructs the agent to generate text and images, save outputs under ${workspace}/xhs-auto/{timestamp}, and call xhs-kit debug-publish — all within the stated purpose. The scripts will read environment variables for API keys and will transmit prompts and (for edit mode) image bytes to external OpenAI-compatible endpoints; this is expected for image generation but means user-supplied images or prompts will be sent off-host.

✓ Install Mechanism

No install spec (instruction-only skill) and included code files are local. Nothing in the manifest pulls arbitrary remote installers or archives. The README suggests installing public packages (pip, playwright) which is normal.

⚠ Credentials

The skill requires API keys for external model gateways (Google/Gemini or ByteDance Seed) but the registry lists no required env vars. Those keys are sensitive and will be used to make external network calls; the omission from the declared requirements is a mismatch and reduces transparency. xhs-kit may also require login credentials for real publishing (not needed for debug), which the docs mention.

✓ Persistence & Privilege

The skill does not request always: true and does not modify other skills. It writes outputs into a workspace subdirectory (documented) and does not request system-wide privileges.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install xhsauto
After installation, invoke the skill by name or use /xhsauto
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

xhs-auto 1.0.0 - 支持自动化小红书内容发布流程，包括主题输入、图片生成、文案草拟与内容校验。 - 如果用户未提供图片，自动根据主题和文案生成生图 Prompt 并调用脚本生成图片。 - 生成的内容（标题、正文、图片路径等）自动整理输出到指定目录。 - 调用小红书自动发布工具 xhs-kit 的接口进行内容合规校验。 - 支持跨平台使用。

Metadata

Slug xhsauto

Version 1.0.0

License —

All-time Installs 3

Active Installs 3

Total Versions 1

Frequently Asked Questions

What is xhs-auto?

小红书自动化发布流程，串联主题输入、图像生成、文案草拟与 debug 发布校验。 It is an AI Agent Skill for Claude Code / OpenClaw, with 495 downloads so far.

How do I install xhs-auto?

Run "/install xhsauto" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is xhs-auto free?

Yes, xhs-auto is completely free (open-source). You can download, install and use it at no cost.

Which platforms does xhs-auto support?

xhs-auto is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created xhs-auto?

It is built and maintained by Weizheng Lu (@luweizheng); the current version is v1.0.0.

More Skills