← Back to Skills Marketplace
sexy-claw
by
deanzh0912
· GitHub ↗
· v1.0.0
· MIT-0
80
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install sexy-claw
Description
🦞 色😍龙虾 - 根据主人审美偏好,在多个平台(小红书、抖音、YouTube、B站)搜索并推荐颜值博主/视频。 自动获取用户cookies,学习主人喜好,推送个性化内容。 使用场景: - 主人说"找美女/小姐姐/颜值博主" - 主人提到特定平台(小红书/抖音/YouTube/B站) - 主人给出审美偏好(如"...
Usage Guidance
This skill appears to implement the advertised search across platforms, but you should take precautions before installing or using it:
- Cookies are sensitive: the skill asks you to copy platform session cookies and saves them as plaintext JSON in the skill directory. Those tokens can grant account access. Only use throwaway accounts or be prepared to revoke/change cookies if compromised.
- Undeclared dependencies: the scripts call 'yt-dlp' and an 'xhs' CLI and use Python requests; they also attempt to source ~/.agent-reach-venv. Ensure you understand and audit those third-party tools (especially the xhs CLI) before running them. Install them from trusted sources.
- Verify behavior: inspect the xhs and yt-dlp commands and confirm the skill does not transmit cookies or preferences to any external endpoint. The packaged code shows no upload endpoints, but verify after any changes.
- Prefer ephemeral use: if possible, avoid long-term storage of live session cookies; use limited or logged-out searches or ephemeral browser profiles.
- If you lack technical skills: consider not installing or only run the scripts in an isolated environment (VM/container) and review/replace any hard-coded paths (e.g., the ~/.agent-reach-venv activation) before use.
Given these privacy and dependency mismatches, proceed only if you are comfortable managing session tokens and can verify the third-party tools the scripts invoke.
Capability Analysis
Type: OpenClaw Skill
Name: sexy-claw
Version: 1.0.0
The skill bundle is designed to solicit and store highly sensitive session cookies (e.g., Bilibili SESSDATA, Douyin sessionid, XHS web_session) from the user to perform searches. While the provided scripts (scripts/douyin_search.py, scripts/bilibili_search.py) use these cookies locally to interact with official APIs, the practice of credential harvesting is high-risk. Furthermore, scripts/xhs_search.py and scripts/youtube_search.py are vulnerable to shell injection via subprocess.run(shell=True) because they do not sanitize the keyword input, potentially allowing for remote code execution.
Capability Assessment
Purpose & Capability
The name/description (search and recommend creators across 小红书/抖音/B站/YouTube) matches the code: scripts query each platform. However the skill metadata declares no required binaries or environment variables while the code expects external CLIs (xhs, yt-dlp) and Python networking (requests). Also xhs_search.py activates a hard-coded virtualenv path (~/.agent-reach-venv) which is not documented—this is an unexplained dependency/mismatch.
Instruction Scope
SKILL.md instructs the user to extract and save platform cookies and the scripts read those cookies from references/platform_cookies.json. The description claims '自动获取用户cookies' but the runtime instructions require the user to manually copy cookies (no automated browser integration). The skill instructs opening video links locally (open), and scripts access the user's home path to source a virtualenv. These behaviors are within the stated purpose but involve handling sensitive session tokens and an undocumented venv path.
Install Mechanism
There is no install spec (instruction-only), so nothing is written by an installer. That reduces some risk. However the scripts depend on external tools (yt-dlp, xhs CLI) and Python packages (requests) that are not declared — the skill will fail or behave unexpectedly unless the environment already has these tools. No downloads or remote install URLs are present.
Credentials
No environment variables or cloud credentials are requested, which is appropriate. But the skill explicitly asks for and stores authentication cookies (web_session/a1, sessionid/ttwid, SESSDATA/bili_jct). Those are high-sensitivity secrets that effectively grant session access to user accounts; storing them in a plaintext local JSON file is proportionate to the task but risky and should be made explicit to the user. The skill claims cookies are stored locally and not uploaded (and the code shows no exfiltration), but that guarantee is purely declarative and should be verified by users.
Persistence & Privilege
The skill does local persistence only (references/user_preference.json and references/platform_cookies.json). It is not 'always: true' and does not modify other skills or system-wide config. Local persistence is expected for user preferences and cookie storage, but it increases privacy risk due to stored session tokens.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install sexy-claw - After installation, invoke the skill by name or use
/sexy-claw - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Sexy-Claw v1.0.0
- 初始版本发布:跨小红书、抖音、B站、YouTube 多平台搜索与推荐颜值类内容。
- 根据用户审美、偏好博主和平台自动个性化推荐,按热门度排序。
- 支持自动获取及本地保存用户 cookies,保护隐私并提示定期更新。
- 记录并持续学习用户喜好,提升推荐精准度。
- 提供详细操作流程与使用说明,便捷脚本调用各平台内容。
Metadata
Frequently Asked Questions
What is sexy-claw?
🦞 色😍龙虾 - 根据主人审美偏好,在多个平台(小红书、抖音、YouTube、B站)搜索并推荐颜值博主/视频。 自动获取用户cookies,学习主人喜好,推送个性化内容。 使用场景: - 主人说"找美女/小姐姐/颜值博主" - 主人提到特定平台(小红书/抖音/YouTube/B站) - 主人给出审美偏好(如"... It is an AI Agent Skill for Claude Code / OpenClaw, with 80 downloads so far.
How do I install sexy-claw?
Run "/install sexy-claw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is sexy-claw free?
Yes, sexy-claw is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does sexy-claw support?
sexy-claw is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created sexy-claw?
It is built and maintained by deanzh0912 (@deanzh0912); the current version is v1.0.0.
More Skills