← 返回 Skills 市场
141
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install xhs-copywriter
功能描述
Generates trending Xiaohongshu notes by extracting hot keywords, popular structures, and engagement tips for ready-to-post, high-potential content.
安全使用建议
This skill's goal (generate Xiaohongshu copy) is plausible, but exercise caution before running it. Specific concerns: (1) the bundled script posts user keywords to an unverified third‑party domain (onetotenvip.com) rather than an official Xiaohongshu API; (2) the script intentionally disables TLS hostname verification and avoids sending SNI — unusual and potentially used to evade controls; (3) SKILL.md references a report_template.md that is not included and contains contradictory rules about showing raw data vs. listing full reference notes. Before installing or running: (a) ask the publisher to disclose and justify the external API, provide its privacy policy and uptime/ownership details; (b) ask why the code disables certificate checking and SNI; (c) request the missing references/report_template.md and clarification on the conflicting display rules; (d) avoid entering any sensitive or personal keywords until you trust the endpoint; (e) if you must test, run the script in an isolated sandbox with network monitoring to observe outbound requests, or replace the network call with a vetted data source or a local mock. If the publisher cannot justify the third‑party endpoint and the TLS bypass, do not use this skill with real user data.
功能分析
Type: OpenClaw Skill
Name: xhs-copywriter
Version: 1.0.0
The skill bundle contains a Python script (`scripts/fetch_xhs_trends.py`) that implements a custom HTTP client using raw sockets to fetch data from an external API (onetotenvip.com). This script explicitly disables SSL certificate verification (`ssl.CERT_NONE`) and SNI (Server Name Indication), which are critical security vulnerabilities that expose the agent to Man-in-the-Middle (MitM) attacks. While these techniques are likely used to bypass specific server-side anti-scraping measures for its stated purpose of generating social media content, the intentional weakening of transport security and the use of a hardcoded third-party endpoint represent significant security risks.
能力评估
Purpose & Capability
Name/description: generate Xiaohongshu (小红书) trending notes. Implementation: includes a Python script that sends user keywords to https://onetotenvip.com/skill/cozeSkill/getXhsCozeSkillData (a third‑party domain, not an official Xiaohongshu endpoint). Requiring an external aggregator API can be legitimate, but using an unvetted domain for all data collection is disproportionate to the stated purpose unless the README documents and verifies that service. No explanation or homepage is provided for that endpoint.
Instruction Scope
SKILL.md requires running the bundled script and mandates following references/core_workflow.md, but also mandates reading references/report_template.md when generating HTML — that file is not present in the package (missing file). The core workflow forbids showing raw data to users yet later requires listing 2–3 reference notes with full interaction data (titles, links, author, full interaction counts) — that is internally contradictory. The script will transmit user-provided keywords to an external host; SKILL.md does not explicitly disclose the external endpoint or how data is handled.
Install Mechanism
No install spec (instruction-only), so nothing is written to disk by an installer. However the package includes an executable Python script (scripts/fetch_xhs_trends.py) that will be executed at runtime. There is no package download/install risk, but executing bundled code that performs network I/O is still an active risk.
Credentials
The skill requests no environment variables or credentials (good), but the script sends user-supplied keywords and other parameters to an external service. Even without explicit credentials, this is a data‑exfiltration/privacy risk: user queries (which may include sensitive info) will be transmitted to onetotenvip.com. Additionally, the script disables TLS hostname checking and certificate verification and avoids sending SNI — these behaviors are unusual for a benign client and suggest attempts to bypass server/domain controls or monitoring.
Persistence & Privilege
The skill is not marked always:true, requests no system config paths, and does not declare persistence. It appears not to modify other skills or system-wide settings. The main privilege is runtime execution of the bundled script (normal for a code-including skill).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xhs-copywriter - 安装完成后,直接呼叫该 Skill 的名称或使用
/xhs-copywriter触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
xhs-title-copywriter 1.0.0
- Skill renamed to “xhs-copywriter” with a stronger emphasis on generating full Xiaohongshu notes, not just titles.
- Skill description updated to highlight comprehensive note creation, including structure, content, and engagement tips.
- Added new reference: xhs_trend_data_format.md, specifying data format requirements.
- Reference to removed data file: 美式咖啡_爆款数据.md.
- Instructions for generating HTML reports and using additional reference files clarified.
元数据
常见问题
xhs-copywriter 是什么?
Generates trending Xiaohongshu notes by extracting hot keywords, popular structures, and engagement tips for ready-to-post, high-potential content. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 141 次。
如何安装 xhs-copywriter?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xhs-copywriter」即可一键安装,无需额外配置。
xhs-copywriter 是免费的吗?
是的,xhs-copywriter 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
xhs-copywriter 支持哪些平台?
xhs-copywriter 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 xhs-copywriter?
由 if530770(@if530770)开发并维护,当前版本 v1.0.0。
推荐 Skills