← Back to Skills Marketplace
Xhs Mcp Service
by
Jackydai-bc
· GitHub ↗
· v1.0.0
· MIT-0
92
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install xhs-mcp-service
Description
小红书(XHS/RED)MCP 服务。通过本地 xhs-mcp-server 服务提供完整的小红书操作能力。 当用户提到小红书、红书、XHS、RED、发笔记、搜笔记、小红书运营等任何与小红书相关的操作时使用此技能。 ⚠️ 前置条件:需要先启动 xhs-mcp-server 服务(默认 http://localho...
Usage Guidance
What to consider before installing/running:
- This package implements a local automation server that will control your Xiaohongshu account via Puppeteer and stored cookies. If you run it, npm install will download Chromium (Puppeteer) and the service will persist session cookies to data/cookies.json — treat that file as highly sensitive (it contains authentication cookies). Keep it on a trusted machine and with tight file permissions.
- The documentation repeatedly refers to localhost, but the server code defaults to binding XHS_HOST='0.0.0.0' which will accept connections from any network interface. Unless you intentionally need remote access, set XHS_HOST=127.0.0.1 (or the equivalent) before starting, or firewall the port. Exposing the MCP endpoint on the network could allow others to control your account if they can reach the host.
- The code performs real actions (likes, comments, publishes) against the service using your account. Use test accounts for experimentation and be cautious about automated publishing or bulk operations (risk of platform restrictions/ban).
- Review the source (especially src/xhs-tools.js and any code that performs network requests) yourself to ensure there are no unexpected external callbacks or telemetry endpoints. Confirm there are no hardcoded remote endpoints that exfiltrate cookies or data.
- Because SKILL.md uses a hard-coded example Windows path and recommends running login which opens a browser for QR scan, run the project in a controlled environment (VM, container, or isolated host) if you are unsure.
- If you decide to run: (1) audit code, (2) set XHS_HOST=127.0.0.1, (3) restrict port via firewall, (4) protect data/cookies.json, and (5) prefer using a disposable/test account for initial trials.
If you want, I can point to the exact lines/files that set the host binding and the cookies path so you (or your admin) can change them before running.
Capability Assessment
Purpose & Capability
Name/description claim a local xhs-mcp-server to operate Xiaohongshu; the repository contains code (Express + MCP SDK + Puppeteer) implementing exactly that functionality (13 tools: search, like, publish, etc.). The requested files, dependencies (puppeteer, express, @modelcontextprotocol/sdk), and runtime behaviors are proportionate to the stated purpose.
Instruction Scope
SKILL.md instructs installing deps, running login (opens a browser for QR code), starting the local MCP service, and running scripts that read local files and publish content. Those instructions are expected, but notable issues: SKILL.md claims the service endpoint is http://localhost:18060/mcp, yet the server code defaults XHS_HOST to '0.0.0.0' (bind all interfaces) — this mismatches the documentation and could expose the MCP endpoints beyond localhost. The instructions also tell users to run commands in a hard-coded Windows path (D:\work\...), which is a fragile/poorly documented instruction (example path) but not necessarily malicious.
Install Mechanism
This is an instruction-only skill for the agent, with included source files (no automated installer). There is no opaque download URL; package.json declares standard npm dependencies (puppeteer, express, MCP SDK). Puppeteer will download Chromium during npm install (normal behavior). No high-risk remote install steps are embedded in SKILL.md or package.json.
Credentials
The skill declares no required environment variables or credentials. It does use/mention XHS_PROXY and XHS_PORT/XHS_HOST environment variables to configure runtime behavior — appropriate for a local service. The code reads/writes data/cookies.json to persist session cookies; this is necessary for automating a user account but means sensitive authentication cookies are stored on disk. That is expected for the purpose, but it is sensitive and should be treated accordingly.
Persistence & Privilege
The skill is not declared always:true. However, a real risk exists: server code defaults XHS_HOST to '0.0.0.0' (listening on all interfaces) which can expose the MCP API (and thereby operations on the user's Xiaohongshu account via stored cookies) to other machines on the network if firewall/host config is not tightened. This network exposure is inconsistent with the SKILL.md's repeated reference to http://localhost and raises an operational security concern.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xhs-mcp-service - After installation, invoke the skill by name or use
/xhs-mcp-service - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
xhs-mcp-service 1.0.0 初始版本发布
- 提供本地 MCP 服务,实现小红书笔记的发文、搜索、点赞、收藏、评论等完整操作能力
- 共13个工具,涵盖登录检测、内容检索、互动、内容发布等功能
- 支持通过 MCPorter 调用简单参数工具,复杂发布操作需使用 Node.js 脚本
- 详细说明部署要求、环境变量及注意事项,便于快速上手
- 强调账号安全、内容限制与 Cookie 管理
Metadata
Frequently Asked Questions
What is Xhs Mcp Service?
小红书(XHS/RED)MCP 服务。通过本地 xhs-mcp-server 服务提供完整的小红书操作能力。 当用户提到小红书、红书、XHS、RED、发笔记、搜笔记、小红书运营等任何与小红书相关的操作时使用此技能。 ⚠️ 前置条件:需要先启动 xhs-mcp-server 服务(默认 http://localho... It is an AI Agent Skill for Claude Code / OpenClaw, with 92 downloads so far.
How do I install Xhs Mcp Service?
Run "/install xhs-mcp-service" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Xhs Mcp Service free?
Yes, Xhs Mcp Service is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Xhs Mcp Service support?
Xhs Mcp Service is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Xhs Mcp Service?
It is built and maintained by Jackydai-bc (@jackydai-bc); the current version is v1.0.0.
More Skills