← Back to Skills Marketplace
hi-yu

小红书 - RedNote

by hiyu · GitHub ↗ · v1.2.5
cross-platform ⚠ suspicious
10954
Downloads
59
Stars
82
Active Installs
10
Versions
Install in OpenClaw
/install xhs
Description
小红书全能助手 — 文案生成、封面制作、内容发布与管理。当用户要求写小红书笔记、生成小红书文案/标题/封面、发小红书、搜索小红书、评论点赞收藏等任何小红书相关操作时使用。支持一站式从文案创作到自动发布的完整流程。封面AI生图需配置可选环境变量(GEMINI_API_KEY 或 IMG_API_KEY 或 HUNY...
Usage Guidance
Before installing or using this skill: 1) Expect to provide multiple API keys/secrets (Gemini/IMG/API, Tencent Hunyuan, optional XHS_AI_*), but note the skill registry entry does not declare them—only supply low-privilege/test keys or avoid sharing high-value credentials. 2) The skill runs local scripts that will try to start services (xvfb, xhs-mcp) and launch a local MCP binary from ~/xiaohongshu-mcp; verify the origin and integrity of that binary and run in an isolated environment if possible. 3) The scripts read ~/.openclaw/openclaw.json and write temporary files under /tmp; if you are concerned about privacy, inspect the scripts line-by-line or run them in a container. 4) The skill expects additional runtime dependencies (ImageMagick, Chinese fonts, python tencentcloud SDK) that are not auto-installed—install them from trusted package sources. 5) If you want to proceed, review and understand where your credentials will be used and avoid pasting production/high-privilege secrets until you confirm the MCP binary and scripts come from a trustworthy source.
Capability Analysis
Type: OpenClaw Skill Name: xhs Version: 1.2.5 The skill is classified as suspicious due to several high-risk capabilities and potential vulnerabilities. It downloads and executes an untrusted, pre-compiled binary (`xiaohongshu-mcp-linux-amd64`) from GitHub (supply chain risk) and sets it up as a persistent systemd service (`xhs-mcp.service`). A critical vulnerability exists in `SKILL.md` and `scripts/cover.sh` where user-provided input for `xdotool type` (for login codes) and image paths (`__USER_IMAGE__:/path/to/image.jpg`) is used directly, posing risks of command injection against the GUI application and local file inclusion/disclosure, respectively. While these capabilities are part of the stated purpose, their insecure handling of user input and reliance on untrusted binaries make the skill highly susceptible to exploitation.
Capability Assessment
Purpose & Capability
The skill's name/description (content generation, cover creation, publish/search/interact) aligns with included scripts and instructions. Required binaries (ImageMagick's convert and curl) are reasonable. However the registry metadata lists no required environment variables while the scripts and SKILL.md clearly require many API keys (GEMINI_API_KEY, IMG_API_KEY/IMG_API_BASE, HUNYUAN_SECRET_ID/HUNYUAN_SECRET_KEY, XHS_AI_API_KEY/XHS_AI_API_URL/XHS_AI_MODEL, XHS_MCP_URL, etc.), which is an incoherence between declared requirements and actual needs.
Instruction Scope
Runtime instructions and scripts do more than simple text generation: they read user agent config (~/.openclaw/openclaw.json), invoke/initialise a local MCP service via HTTP, create/inspect /tmp files (e.g. /tmp/xhs_headers), attempt to start system services (systemctl start xvfb, xhs-mcp) and launch binaries in the user's home directory. These actions are plausible for a publish/automation skill but expand scope (service control, local binary execution, reading user config) and require caution.
Install Mechanism
There is no formal install spec (instruction-only), which is lower-risk for arbitrary downloads. However the included scripts rely on external Python libraries (e.g., tencentcloud SDK) and system components (fonts-noto-cjk, ImageMagick) that are not automatically installed or declared. The scripts may fail or attempt manual remedial actions (starting services) — missing dependency handling is a practical risk.
Credentials
The skill uses and may request many sensitive credentials and env vars (Gemini/OpenAI image keys, Tencent Hunyuan secret id/key, XHS AI API keys, possibly MCP URL). None of these are declared in the registry 'required env vars' list. Requiring multiple unrelated secrets (image APIs + AI API + local service URL) without declaring them is disproportionate and increases the chance of accidental credential exposure.
Persistence & Privilege
always:false and model invocation not disabled (normal). The scripts attempt to start systemd services and spawn the xiaohongshu-mcp binary from ~/xiaohongshu-mcp, which requires filesystem and service control actions but the skill does not request persistent system-wide privileges in metadata. This is not an explicit escalation flag, but running service-control commands and launching local binaries elevates the impact if credentials or malicious components are present.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install xhs
  3. After installation, invoke the skill by name or use /xhs
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.5
- 增加了环境变量说明,支持 Gemini、OpenAI、腾讯云混元等多种封面AI生图服务(需配置相应 API Key)。 - 新增「手动Cookie」登录方式,适用于已在浏览器登录的用户粘贴Cookie直接登录。 - metadata中 now requires at least one of: curl(或convert),提升兼容性。 - 文档部分优化,明确环境变量与依赖工具的说明,提升用户配置指引。 - 其他文档细节修订与优化。
v1.2.4
- 增加了环境变量说明,支持 Gemini、OpenAI、腾讯云混元等多种封面AI生图服务(需配置相应 API Key)。 - 新增「手动Cookie」登录方式,适用于已在浏览器登录的用户粘贴Cookie直接登录。 - metadata中 now requires at least one of: curl(或convert),提升兼容性。 - 文档部分优化,明确环境变量与依赖工具的说明,提升用户配置指引。 - 其他文档细节修订与优化。
v1.2.3
xhs 1.2.3 Changelog - 封面图 AI 生图策略新增腾讯云混元(AIART)API选项,用户可选用对应API Key自动生成封面主题图片。 - 封面图生图时,环境变量支持腾讯云混元参数(IMG_API_TYPE=hunyuan等)。 - 其余流程、文案创作、平台操作等未变。 - 文档同步更新相关说明。
v1.2.2
Version 1.2.2 - 增加了“文案生成”、“标题生成”、“封面图生成”三大内容创作能力,支持一站式从AI创作到成品输出。 - 新增多个参考与脚本文件:content-guide.md、cover-guide.md、title-guide.md、cover.sh、generate.sh,用于标准化内容和自动化封面处理。 - 详细拆分并优化了文案创作与小红书平台操作的完整流程说明。 - 支持多种AI和API方式生成标题、正文与封面,按用户需求动态引导选择。 - 丰富文案创作阶段的人机交互,增加用户选题、自定义和多步骤确认环节。 - 调整元数据与技能描述,更突显一站式内容助手定位。
v1.2.1
v1.2.0 - 增加 check_env.sh 环境和登录检查脚本,实现自动前置诊断。 - 技能说明文档全面重写,优化使用流程,操作步骤更清晰简明。 - 登录流程大幅优化,支持“快捷扫码”(内置获取二维码)与“截图扫码”两种方式,并按用户需求自动选择。 - 新增/更新了工具文档,包含点赞、收藏、评论回复等新操作,参数更详细。 - 安装与登录流程执行路径统一,提升易用性和自动化支持。
v1.0.4
优化提示词
v1.0.3
### 1.0.3 Changelog - Clarified that Xiaohongshu does not provide a public API; skill uses browser automation via a local MCP service. - Added explicit instruction to always use the exec tool to call the MCP HTTP endpoint, regardless of user query. - Updated the calling process: now emphasizes streaming HTTP protocol and strictly requires a per-call session initialization and `Mcp-Session-Id` header on all requests. - Documented that all calls must perform initialization, receive a session ID, confirm, and then execute the tool, all within the same exec. - Removed ambiguous or outdated instructions. Added strict step-by-step bash script for correct usage. - Warned against omitting session initialization, as it will result in errors.
v1.0.2
更新错误的仓库地址
v1.0.1
xhs v1.0.1 - Initial release of xiaohongshu (小红书) skill for content publishing and management. - Supports posting text/image/video content, searching notes, viewing recommendations, post details, commenting, and user profiles. - Provides step-by-step installation and setup instructions for the xiaohongshu MCP backend service. - Includes troubleshooting and login flow for automated session handling. - Details environmental variable settings and API call templates.
v1.0.0
xiaohongshu(小红书)Skill 1.0.0 初始版本发布 - 实现小红书内容发布与管理,支持发帖、搜索、评论、获取推荐、查看用户主页等。 - 提供详细的环境安装、依赖配置及服务部署指导,兼容多平台(Linux、macOS、ARM 架构)。 - 支持图文笔记、视频笔记的发布,及常用内容检索、推荐、评论操作。 - 完整说明初始化会话、调用接口的流程,并涵盖二维码登录自动化脚本。 - 列出所有可用功能和参数,便于对接自动化操作或 OpenClaw 集成。
Metadata
Slug xhs
Version 1.2.5
License
All-time Installs 87
Active Installs 82
Total Versions 10
Frequently Asked Questions

What is 小红书 - RedNote?

小红书全能助手 — 文案生成、封面制作、内容发布与管理。当用户要求写小红书笔记、生成小红书文案/标题/封面、发小红书、搜索小红书、评论点赞收藏等任何小红书相关操作时使用。支持一站式从文案创作到自动发布的完整流程。封面AI生图需配置可选环境变量(GEMINI_API_KEY 或 IMG_API_KEY 或 HUNY... It is an AI Agent Skill for Claude Code / OpenClaw, with 10954 downloads so far.

How do I install 小红书 - RedNote?

Run "/install xhs" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is 小红书 - RedNote free?

Yes, 小红书 - RedNote is completely free (open-source). You can download, install and use it at no cost.

Which platforms does 小红书 - RedNote support?

小红书 - RedNote is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created 小红书 - RedNote?

It is built and maintained by hiyu (@hi-yu); the current version is v1.2.5.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments