← 返回 Skills 市场
76
总下载
0
收藏
0
当前安装
5
版本数
在 OpenClaw 中安装
/install qianxun-content-engine-en
功能描述
Content Engine (Xiaohongshu). Two modes: ① Deconstruct (v1) — input a viral XHS link, get an 18-field structured card. ② Generate (v2) — combine the deconstr...
安全使用建议
Key things to check before installing or running this skill:
1) Clarify required credentials and endpoints. Ask the publisher which environment variables / API keys are required (TikHub/TikTok API, Ofox LLM keys, Nano Banana image keys, Volcengine/Seedance keys, etc.). The code references LLM/image/video clients but the skill metadata lists none — treat that as an under-declaration. Only provide keys you intend the skill to use, not broad cloud creds.
2) Inspect the code files that touch the network and filesystem first: scripts/content_engine/client.py, llm.py, nano_banana.py, seedance.py, generate.py, extract_xhs.py, and preflight.py. Search for strings like 'http', 'https', 'api', 'host', 'token', 'key', 'requests', 'urllib', 'socket'. Confirm which external hosts receive data and what data is transmitted (raw scraped notes, user-provided brand info, or full deconstruction outputs).
3) Run locally in a sandboxed environment. Execute preflight.py or run the scripts with a dry-run / test mode and with network egress blocked initially to see local behavior. Provide only minimal API keys in a restricted test account if you plan to enable network calls. Do not place unrelated secrets (AWS keys, GitHub tokens) into the agent environment.
4) Pay attention to data retention and privacy. The skill auto-writes deconstruction output and updates graph/ files that may contain scraped competitor content and comment text. If that is sensitive, store or encrypt graph/ files appropriately and review whether you want those artifacts written to persistent storage.
5) Confirm ffmpeg availability. SKILL.md says ffmpeg is required for video composition; install/allow only the ffmpeg binary and ensure paths are correct. The registry metadata should have listed this binary — request correction if it remains omitted.
6) Limit autonomous invocation if you are cautious. Autonomous execution is the platform default; if you want to reduce potential exposure until you audit the code, disable or restrict the skill's ability to run autonomously or run it only on-demand.
7) If you are not comfortable auditing the code yourself, ask the publisher for a short security/data-flow description: what endpoints are called, what data is sent, whether any logs or tokens are exfiltrated, and what minimal env vars are needed. Without that, treating this skill as 'runs code + networks + writes files' and running it in an isolated environment is the safest approach.
功能分析
Type: OpenClaw Skill
Name: qianxun-content-engine-en
Version: 0.3.1
The skill bundle is a sophisticated content engine for Xiaohongshu that exhibits several high-risk capabilities. It performs network requests to multiple external APIs (TikHub, Ofox, Volcengine) and uses User-Agent spoofing (`curl/8.7.1` in `client.py`) to evade bot detection. It also executes shell commands via `subprocess` for media processing with `ffmpeg` (`video.py`, `video_compose.py`) and includes instructions in `SKILL.md` for the AI agent to autonomously modify its own knowledge graph files (`graph/` directory). While these behaviors are aligned with the stated purpose of content deconstruction and generation, the combination of network access, shell execution, and self-modifying file operations meets the threshold for a suspicious classification.
能力标签
能力评估
Purpose & Capability
The name/description promise (deconstruct XHS links; generate text/images/videos) is coherent with included code, but the registry metadata claims no required env vars or binaries while the package includes clients for external services: TikhubClient (TikHub/TikHub-like API), an Ofox LLM client, Nano Banana image generator, and a Seedance / Volcengine video path. The SKILL.md also states ffmpeg is required. Generating real images/videos or calling LLM/image APIs normally requires API keys and network access — those credentials are not declared. This is an unexplained mismatch between purpose and declared capabilities.
Instruction Scope
SKILL.md instructs the agent to run Python scripts (extract_xhs.py, generate_xhs.py, and package modules) and to read and write the skill's graph/ .md files (auto-writeback). It explicitly uses the agent's Read/Write/Exec tools and ffmpeg. The instructions imply network calls to platform APIs and third-party LLM/image services and allow the system to append/modify graph nodes automatically. Those behaviors go beyond mere local parsing: they will fetch external content and persist derived data. The SKILL.md is prescriptive about scanning/writing graph nodes (append-only) which is expected, but the document does not enumerate what external endpoints are used or what data is sent.
Install Mechanism
There is no install spec (instruction-only), which reduces supply-chain risk from remote downloads. However, this package includes 28+ scripts and a Python package that will be executed in the agent environment. That increases attack surface compared to a pure-text SKILL.md. No external install URL is used, which is good, but you still must treat bundled code as executable payload.
Credentials
The skill declares no required environment variables or primary credential, yet the codebase contains clients for external services (client.py / llm.py / nano_banana.py / seedance.py / generate.py). Those modules very likely require API keys, endpoints, or tokens at runtime — their omission from requires.env under-declares required secrets. Also SKILL.md mentions ffmpeg is required but the registry lists no required binaries. The skill will read/write graph/ files (expected) and will assemble and potentially transmit content to third-party LLM/image/video services — supplying broad credentials (e.g., cloud keys) without knowing the exact scope would be risky.
Persistence & Privilege
always:false (normal). The skill auto-writes to its own graph/ node files (described behavior). That is expected functionality for a knowledge-graph-backed generator and not an escalation by itself. However, autonomous invocation plus networked LLM/image clients increases the potential blast radius (the agent could autonomously recall a card, call external services, and update graph/). The skill does not claim to modify other skills or system-wide configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install qianxun-content-engine-en - 安装完成后,直接呼叫该 Skill 的名称或使用
/qianxun-content-engine-en触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.3.1
v0.3.1: review fixes. .env.example now includes ARK_API_KEY example (with console link + IAM ≠ ARK warning + model activation guide); preflight now also checks ARK_API_KEY (--check shows 9 checks total, video real-gen requirement is now visible). Code unchanged, tests still 132. Also includes the v0.3.0 end-to-end 5-shot real-generation validation (5/5 succeeded, ffmpeg concat produced 26.1MB final-video.mp4 OK).
v0.3.0
v0.3.0: Real video generation via Volcengine Ark Seedance 2.0. The video type now calls the Ark API by default to generate each shot, then auto-concatenates them into final-video.mp4 with ffmpeg. Failed shots don't block others; partial-video.md captures per-shot status and failed-shot prompts for manual re-runs. New flags: --no-real-video (skip API) / --async (submit only, return task_ids) / --no-confirm (skip 3s cost countdown). New env var: ARK_API_KEY (note: not the same as Volcengine IAM AK/SK). Tests: 132 (+15).
v0.2.1
v0.2.1: Added validator (hard errors auto-retry + soft warnings → quality_report.md) + auto-fallback v1 (transparently runs extract_xhs.py and writes a stub deconstruction card when no card exists for the link). Banned-words list now auto-extended from graph/engine/taboo.md. Test coverage: 98 (+36 new).
v0.2.0
v0.2.0 adds generate mode: produce your own script / cover / desc / tags / reference frames from the deconstruction card + brand info, using Ofox (LLM + Nano Banana). Video output is a Seedance 2.0 prompt as substitute; real video gen planned for v2.1. New examples/ directory with real reference outputs. New required config: OFOX_API_KEY for generate mode.
v0.1.0
v0.1.0 initial release. XHS deconstruction (video + image), 18-field structured output, built-in knowledge graph. XHS only; Douyin / WeChat Channels on roadmap (see SKILL.md).
元数据
常见问题
Content Engine 是什么?
Content Engine (Xiaohongshu). Two modes: ① Deconstruct (v1) — input a viral XHS link, get an 18-field structured card. ② Generate (v2) — combine the deconstr... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 76 次。
如何安装 Content Engine?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install qianxun-content-engine-en」即可一键安装,无需额外配置。
Content Engine 是免费的吗?
是的,Content Engine 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Content Engine 支持哪些平台?
Content Engine 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Content Engine?
由 dizhu(@dizhu)开发并维护,当前版本 v0.3.1。
推荐 Skills