โ Back to Skills Marketplace
sexy-claw
by
deanzh0912
ยท GitHub โ
ยท v1.0.0
ยท MIT-0
80
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install sexy-claw
Description
๐ฆ ่ฒ๐้พ่พ - ๆ นๆฎไธปไบบๅฎก็พๅๅฅฝ๏ผๅจๅคไธชๅนณๅฐ๏ผๅฐ็บขไนฆใๆ้ณใYouTubeใB็ซ๏ผๆ็ดขๅนถๆจ่้ขๅผๅไธป/่ง้ขใ ่ชๅจ่ทๅ็จๆทcookies๏ผๅญฆไน ไธปไบบๅๅฅฝ๏ผๆจ้ไธชๆงๅๅ
ๅฎนใ ไฝฟ็จๅบๆฏ๏ผ - ไธปไบบ่ฏด"ๆพ็พๅฅณ/ๅฐๅงๅง/้ขๅผๅไธป" - ไธปไบบๆๅฐ็นๅฎๅนณๅฐ๏ผๅฐ็บขไนฆ/ๆ้ณ/YouTube/B็ซ๏ผ - ไธปไบบ็ปๅบๅฎก็พๅๅฅฝ๏ผๅฆ"...
Usage Guidance
This skill appears to implement the advertised search across platforms, but you should take precautions before installing or using it:
- Cookies are sensitive: the skill asks you to copy platform session cookies and saves them as plaintext JSON in the skill directory. Those tokens can grant account access. Only use throwaway accounts or be prepared to revoke/change cookies if compromised.
- Undeclared dependencies: the scripts call 'yt-dlp' and an 'xhs' CLI and use Python requests; they also attempt to source ~/.agent-reach-venv. Ensure you understand and audit those third-party tools (especially the xhs CLI) before running them. Install them from trusted sources.
- Verify behavior: inspect the xhs and yt-dlp commands and confirm the skill does not transmit cookies or preferences to any external endpoint. The packaged code shows no upload endpoints, but verify after any changes.
- Prefer ephemeral use: if possible, avoid long-term storage of live session cookies; use limited or logged-out searches or ephemeral browser profiles.
- If you lack technical skills: consider not installing or only run the scripts in an isolated environment (VM/container) and review/replace any hard-coded paths (e.g., the ~/.agent-reach-venv activation) before use.
Given these privacy and dependency mismatches, proceed only if you are comfortable managing session tokens and can verify the third-party tools the scripts invoke.
Capability Analysis
Type: OpenClaw Skill
Name: sexy-claw
Version: 1.0.0
The skill bundle is designed to solicit and store highly sensitive session cookies (e.g., Bilibili SESSDATA, Douyin sessionid, XHS web_session) from the user to perform searches. While the provided scripts (scripts/douyin_search.py, scripts/bilibili_search.py) use these cookies locally to interact with official APIs, the practice of credential harvesting is high-risk. Furthermore, scripts/xhs_search.py and scripts/youtube_search.py are vulnerable to shell injection via subprocess.run(shell=True) because they do not sanitize the keyword input, potentially allowing for remote code execution.
Capability Assessment
Purpose & Capability
The name/description (search and recommend creators across ๅฐ็บขไนฆ/ๆ้ณ/B็ซ/YouTube) matches the code: scripts query each platform. However the skill metadata declares no required binaries or environment variables while the code expects external CLIs (xhs, yt-dlp) and Python networking (requests). Also xhs_search.py activates a hard-coded virtualenv path (~/.agent-reach-venv) which is not documentedโthis is an unexplained dependency/mismatch.
Instruction Scope
SKILL.md instructs the user to extract and save platform cookies and the scripts read those cookies from references/platform_cookies.json. The description claims '่ชๅจ่ทๅ็จๆทcookies' but the runtime instructions require the user to manually copy cookies (no automated browser integration). The skill instructs opening video links locally (open), and scripts access the user's home path to source a virtualenv. These behaviors are within the stated purpose but involve handling sensitive session tokens and an undocumented venv path.
Install Mechanism
There is no install spec (instruction-only), so nothing is written by an installer. That reduces some risk. However the scripts depend on external tools (yt-dlp, xhs CLI) and Python packages (requests) that are not declared โ the skill will fail or behave unexpectedly unless the environment already has these tools. No downloads or remote install URLs are present.
Credentials
No environment variables or cloud credentials are requested, which is appropriate. But the skill explicitly asks for and stores authentication cookies (web_session/a1, sessionid/ttwid, SESSDATA/bili_jct). Those are high-sensitivity secrets that effectively grant session access to user accounts; storing them in a plaintext local JSON file is proportionate to the task but risky and should be made explicit to the user. The skill claims cookies are stored locally and not uploaded (and the code shows no exfiltration), but that guarantee is purely declarative and should be verified by users.
Persistence & Privilege
The skill does local persistence only (references/user_preference.json and references/platform_cookies.json). It is not 'always: true' and does not modify other skills or system-wide config. Local persistence is expected for user preferences and cookie storage, but it increases privacy risk due to stored session tokens.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install sexy-claw - After installation, invoke the skill by name or use
/sexy-claw - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Sexy-Claw v1.0.0
- ๅๅง็ๆฌๅๅธ๏ผ่ทจๅฐ็บขไนฆใๆ้ณใB็ซใYouTube ๅคๅนณๅฐๆ็ดขไธๆจ่้ขๅผ็ฑปๅ
ๅฎนใ
- ๆ นๆฎ็จๆทๅฎก็พใๅๅฅฝๅไธปๅๅนณๅฐ่ชๅจไธชๆงๅๆจ่๏ผๆ็ญ้จๅบฆๆๅบใ
- ๆฏๆ่ชๅจ่ทๅๅๆฌๅฐไฟๅญ็จๆท cookies๏ผไฟๆค้็งๅนถๆ็คบๅฎๆๆดๆฐใ
- ่ฎฐๅฝๅนถๆ็ปญๅญฆไน ็จๆทๅๅฅฝ๏ผๆๅๆจ่็ฒพๅๅบฆใ
- ๆไพ่ฏฆ็ปๆไฝๆต็จไธไฝฟ็จ่ฏดๆ๏ผไพฟๆท่ๆฌ่ฐ็จๅๅนณๅฐๅ
ๅฎนใ
Metadata
Frequently Asked Questions
What is sexy-claw?
๐ฆ ่ฒ๐้พ่พ - ๆ นๆฎไธปไบบๅฎก็พๅๅฅฝ๏ผๅจๅคไธชๅนณๅฐ๏ผๅฐ็บขไนฆใๆ้ณใYouTubeใB็ซ๏ผๆ็ดขๅนถๆจ่้ขๅผๅไธป/่ง้ขใ ่ชๅจ่ทๅ็จๆทcookies๏ผๅญฆไน ไธปไบบๅๅฅฝ๏ผๆจ้ไธชๆงๅๅ ๅฎนใ ไฝฟ็จๅบๆฏ๏ผ - ไธปไบบ่ฏด"ๆพ็พๅฅณ/ๅฐๅงๅง/้ขๅผๅไธป" - ไธปไบบๆๅฐ็นๅฎๅนณๅฐ๏ผๅฐ็บขไนฆ/ๆ้ณ/YouTube/B็ซ๏ผ - ไธปไบบ็ปๅบๅฎก็พๅๅฅฝ๏ผๅฆ"... It is an AI Agent Skill for Claude Code / OpenClaw, with 80 downloads so far.
How do I install sexy-claw?
Run "/install sexy-claw" in the OpenClaw or Claude Code chat to install it in one step โ no extra setup required.
Is sexy-claw free?
Yes, sexy-claw is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does sexy-claw support?
sexy-claw is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created sexy-claw?
It is built and maintained by deanzh0912 (@deanzh0912); the current version is v1.0.0.
More Skills