xhs-skill-pusher

小红书内容发布技能 - 规范化cookie管理 + xhs-kit自动化发布

This package appears to do what it says (manage local Xiaohongshu cookies and call xhs-kit to publish). Before installing or running it, consider: 1) Cookies are sensitive — never commit xhs_cookies/*.json or cookies.json to a public repo; follow the README but add .gitignore entries. 2) Limit file permissions on the cookie directory (chmod 700 or similar). 3) The scripts and the Node CLI build shell commands by interpolating user-supplied values (title, content, cookie names) and call execSync or run embedded python -c strings; avoid running this on untrusted inputs and review/escape any values you plan to supply programmatically to prevent command injection. 4) The tool copies cookie files into cookies.json (DEFAULT_COOKIE) and may overwrite an existing file — back up any important cookies before use. 5) Ensure xhs-kit and Playwright packages you install are from trusted sources. If you want a lower-risk usage pattern, run the scripts in an isolated environment (dedicated VM/container) and review/modify code to use spawn/execFile or explicit argument arrays instead of shell-interpolated exec strings.

Type: OpenClaw Skill Name: xhs-skill-pusher Version: 1.0.0 The xhs-skill-pusher bundle is a legitimate toolset designed for automating content publishing on Xiaohongshu (XHS) using the xhs-kit library. It provides a structured approach to managing session cookies and executing publishing workflows through shell scripts (xhs_final.sh, xhs_manage.sh) and a Node.js CLI (xhs-pusher.mjs). While the skill handles sensitive authentication data (cookies), all logic is focused on local file management and interaction with the stated dependency. There is no evidence of data exfiltration, unauthorized network calls, or intentional backdoors. Some scripts contain minor shell injection vulnerabilities in how they pass variables to Python one-liners (e.g., in xhs_save_cookie.sh), but these appear to be unintentional coding flaws rather than malicious intent.