← 返回 Skills 市场
263
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install rn-skills-tywx
功能描述
小红书爆款内容全自动创作助手,专注「时尚穿搭与新中式美学」赛道。 自动完成素材收集、选题筛选、文案生成、AI配图(通义万相)、本地归档的完整流程。 Use when: 用户说"创作小红书"、"收集素材"、"根据XXX创作",或需要批量生成小红书图文笔记。 NOT for: 其他平台(抖音/微博)的内容创作,也不用...
安全使用建议
This skill appears to do what it says (generate Xiaohongshu copy + images), but review and fix a few issues before running it:
- Metadata omission: The registry metadata does not list the required DASHSCOPE_API_KEY even though SKILL.md and the script need it. Treat that as a packaging error and assume the API key is required. Do not provide the key unless you trust the source.
- Inspect generate_images.py carefully: it will try to read ~/.zshrc to find DASHSCOPE_API_KEY if the env var is missing; if you do not want scripts scanning your shell config, set the env var explicitly or remove that fallback behavior.
- Hard-coded paths: The script writes to absolute paths (/Users/yk/...). Modify the script to use relative or configurable output directories so it doesn't place files in unexpected locations or overwrite your data.
- Shell execution risks: The script builds curl commands with the API key and runs them via shell=True. Ensure the API key and prompts are sanitized and run this in a controlled environment (or replace with requests library calls) to avoid injection risks.
- Minimal credential scope: DASHSCOPE_API_KEY is the only credential used; verify you obtain the key from your own Alibaba account and rotate/revoke it if you stop using the skill.
- Run in isolation first: Execute the script in a disposable environment (container or throwaway VM) to confirm behavior and to avoid accidental writes to your home directory.
If you want, I can produce a safer variant of generate_images.py that (1) reads the API key only from an explicit env var, (2) uses relative output paths (or an explicit --output argument), and (3) uses Python HTTP requests instead of shell curl to avoid shell injection.
功能分析
Type: OpenClaw Skill
Name: rn-skills-tywx
Version: 1.0.1
The script `generate_images.py` contains high-risk patterns, specifically reading the user's `~/.zshrc` file to extract API keys and using `subprocess.run(shell=True)` to execute `curl` commands, which introduces a shell injection vulnerability. While these behaviors are likely intended for the stated purpose of image generation via the DashScope API (dashscope.aliyuncs.com), the intrusive credential retrieval and insecure execution methods are significant security flaws. Additionally, the script contains hardcoded absolute paths specific to the author's environment, indicating poor portability and potential for unexpected behavior.
能力评估
Purpose & Capability
Overall the declared purpose (trend scouting, copywriting, and image generation via Alibaba Tongyi Wanxiang) aligns with the included files: keyword/title/image presets, history, and a Python script that calls the dashscope API. However metadata claims 'Required env vars: none' while both SKILL.md and generate_images.py require DASHSCOPE_API_KEY. The script also uses curl (via subprocess) but the skill metadata does not declare required binaries (curl) — an inconsistency that suggests sloppy packaging or missing declarations.
Instruction Scope
SKILL.md instructs only scoped actions (web search, generate copy, call Tongyi Wanxiang, save outputs). But the included generate_images.py reads the user's ~/.zshrc as a fallback to extract DASHSCOPE_API_KEY (this is not documented in SKILL.md), uses hard-coded absolute paths under /Users/yk/... for output, and runs shell commands (curl, cp) via subprocess.run(shell=True). The code therefore reads a local config file and writes to specific filesystem locations beyond the skill directory — behavior not described in SKILL.md and widening the runtime scope.
Install Mechanism
There is no install spec (instruction-only skill), which minimizes supply-chain risk. The only runtime artifact is generate_images.py which performs network calls to an official dashscope.aliyuncs.com endpoint and downloads image files. No archive downloads or third-party package installs are present in the manifest.
Credentials
The skill requires a single external credential (DASHSCOPE_API_KEY) to call the image API — that's proportionate to image generation. But the skill metadata fails to declare this required env var. Worse, the script will read ~/.zshrc to extract the key if the environment variable is not set, which means it reads a user config file to find secrets. This fallback access to shell config increases privacy risk and is not justified in the manifest or SKILL.md.
Persistence & Privilege
The skill is not always-on and does not request elevated platform privileges. It writes outputs and updates history.json in the project, which is expected for a content generator. The concerning part is that generate_images.py uses hard-coded absolute paths outside the project directory (e.g., /Users/yk/Documents/work/skills/...), which could overwrite or place files in unexpected locations on a user's machine if executed as-is.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install rn-skills-tywx - 安装完成后,直接呼叫该 Skill 的名称或使用
/rn-skills-tywx触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- 新增 generate_images.py 文件,引入独立图片生成模块。
- 功能结构未变,核心流程保持一致。
v1.0.0
xiaohongshu-creator skill released!
- 自动化生成小红书爆款时尚穿搭与新中式美学内容,涵盖素材收集、选题、文案、AI配图、本地归档全流程
- 支持用户按需触发(如「创作小红书」「收集素材」「根据XXX创作」等)
- 高效并行爬取多平台热门信息,智能筛选优化赛道相关选题
- 文案与配图风格高度可定制,季节智能感知,并严格控制内容原创性与图片一致性
- 输出目录结构清晰,附带详细发布建议与API成本预测
元数据
常见问题
Rn Skills 是什么?
小红书爆款内容全自动创作助手,专注「时尚穿搭与新中式美学」赛道。 自动完成素材收集、选题筛选、文案生成、AI配图(通义万相)、本地归档的完整流程。 Use when: 用户说"创作小红书"、"收集素材"、"根据XXX创作",或需要批量生成小红书图文笔记。 NOT for: 其他平台(抖音/微博)的内容创作,也不用... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 263 次。
如何安装 Rn Skills?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install rn-skills-tywx」即可一键安装,无需额外配置。
Rn Skills 是免费的吗?
是的,Rn Skills 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Rn Skills 支持哪些平台?
Rn Skills 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Rn Skills?
由 yb(@ykabps1314)开发并维护,当前版本 v1.0.1。
推荐 Skills