← 返回 Skills 市场
sexy-claw
作者
deanzh0912
· GitHub ↗
· v1.0.0
· MIT-0
80
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install sexy-claw
功能描述
🦞 色😍龙虾 - 根据主人审美偏好,在多个平台(小红书、抖音、YouTube、B站)搜索并推荐颜值博主/视频。 自动获取用户cookies,学习主人喜好,推送个性化内容。 使用场景: - 主人说"找美女/小姐姐/颜值博主" - 主人提到特定平台(小红书/抖音/YouTube/B站) - 主人给出审美偏好(如"...
安全使用建议
This skill appears to implement the advertised search across platforms, but you should take precautions before installing or using it:
- Cookies are sensitive: the skill asks you to copy platform session cookies and saves them as plaintext JSON in the skill directory. Those tokens can grant account access. Only use throwaway accounts or be prepared to revoke/change cookies if compromised.
- Undeclared dependencies: the scripts call 'yt-dlp' and an 'xhs' CLI and use Python requests; they also attempt to source ~/.agent-reach-venv. Ensure you understand and audit those third-party tools (especially the xhs CLI) before running them. Install them from trusted sources.
- Verify behavior: inspect the xhs and yt-dlp commands and confirm the skill does not transmit cookies or preferences to any external endpoint. The packaged code shows no upload endpoints, but verify after any changes.
- Prefer ephemeral use: if possible, avoid long-term storage of live session cookies; use limited or logged-out searches or ephemeral browser profiles.
- If you lack technical skills: consider not installing or only run the scripts in an isolated environment (VM/container) and review/replace any hard-coded paths (e.g., the ~/.agent-reach-venv activation) before use.
Given these privacy and dependency mismatches, proceed only if you are comfortable managing session tokens and can verify the third-party tools the scripts invoke.
功能分析
Type: OpenClaw Skill
Name: sexy-claw
Version: 1.0.0
The skill bundle is designed to solicit and store highly sensitive session cookies (e.g., Bilibili SESSDATA, Douyin sessionid, XHS web_session) from the user to perform searches. While the provided scripts (scripts/douyin_search.py, scripts/bilibili_search.py) use these cookies locally to interact with official APIs, the practice of credential harvesting is high-risk. Furthermore, scripts/xhs_search.py and scripts/youtube_search.py are vulnerable to shell injection via subprocess.run(shell=True) because they do not sanitize the keyword input, potentially allowing for remote code execution.
能力评估
Purpose & Capability
The name/description (search and recommend creators across 小红书/抖音/B站/YouTube) matches the code: scripts query each platform. However the skill metadata declares no required binaries or environment variables while the code expects external CLIs (xhs, yt-dlp) and Python networking (requests). Also xhs_search.py activates a hard-coded virtualenv path (~/.agent-reach-venv) which is not documented—this is an unexplained dependency/mismatch.
Instruction Scope
SKILL.md instructs the user to extract and save platform cookies and the scripts read those cookies from references/platform_cookies.json. The description claims '自动获取用户cookies' but the runtime instructions require the user to manually copy cookies (no automated browser integration). The skill instructs opening video links locally (open), and scripts access the user's home path to source a virtualenv. These behaviors are within the stated purpose but involve handling sensitive session tokens and an undocumented venv path.
Install Mechanism
There is no install spec (instruction-only), so nothing is written by an installer. That reduces some risk. However the scripts depend on external tools (yt-dlp, xhs CLI) and Python packages (requests) that are not declared — the skill will fail or behave unexpectedly unless the environment already has these tools. No downloads or remote install URLs are present.
Credentials
No environment variables or cloud credentials are requested, which is appropriate. But the skill explicitly asks for and stores authentication cookies (web_session/a1, sessionid/ttwid, SESSDATA/bili_jct). Those are high-sensitivity secrets that effectively grant session access to user accounts; storing them in a plaintext local JSON file is proportionate to the task but risky and should be made explicit to the user. The skill claims cookies are stored locally and not uploaded (and the code shows no exfiltration), but that guarantee is purely declarative and should be verified by users.
Persistence & Privilege
The skill does local persistence only (references/user_preference.json and references/platform_cookies.json). It is not 'always: true' and does not modify other skills or system-wide config. Local persistence is expected for user preferences and cookie storage, but it increases privacy risk due to stored session tokens.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install sexy-claw - 安装完成后,直接呼叫该 Skill 的名称或使用
/sexy-claw触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Sexy-Claw v1.0.0
- 初始版本发布:跨小红书、抖音、B站、YouTube 多平台搜索与推荐颜值类内容。
- 根据用户审美、偏好博主和平台自动个性化推荐,按热门度排序。
- 支持自动获取及本地保存用户 cookies,保护隐私并提示定期更新。
- 记录并持续学习用户喜好,提升推荐精准度。
- 提供详细操作流程与使用说明,便捷脚本调用各平台内容。
元数据
常见问题
sexy-claw 是什么?
🦞 色😍龙虾 - 根据主人审美偏好,在多个平台(小红书、抖音、YouTube、B站)搜索并推荐颜值博主/视频。 自动获取用户cookies,学习主人喜好,推送个性化内容。 使用场景: - 主人说"找美女/小姐姐/颜值博主" - 主人提到特定平台(小红书/抖音/YouTube/B站) - 主人给出审美偏好(如"... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 80 次。
如何安装 sexy-claw?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install sexy-claw」即可一键安装,无需额外配置。
sexy-claw 是免费的吗?
是的,sexy-claw 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
sexy-claw 支持哪些平台?
sexy-claw 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 sexy-claw?
由 deanzh0912(@deanzh0912)开发并维护,当前版本 v1.0.0。
推荐 Skills