← 返回 Skills 市场
305
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install xhs-monitor
功能描述
小红书竞品监控 - 自动采集竞品笔记,推送飞书通知,写入数据看板
安全使用建议
What to check before installing/running:
- Dependencies: The metadata only mentions puppeteer-core, but the code uses puppeteer-extra and puppeteer-extra-plugin-stealth. Make sure package.json lists all needed packages or run npm install for the additional modules before running.
- Environment vars: Set CHROMIUM_PATH (path to Chrome/Chromium) and XHS_DATA_DIR as instructed. The skill's declared requirements do not list these, so you must provide them manually.
- Remote debugging risk: run.sh and instructions start Chrome with --remote-debugging-port. If that port is reachable from other machines, the browser can be remotely controlled. Only launch remote debugging on a trusted, firewalled host (bind to localhost or block the port externally).
- Persistent session data: the skill stores browser user-data and history.csv in the data directory. Do not run this on a machine containing sensitive accounts unless you accept stored session artifacts. Do not commit config.js or data/ to a public repo.
- Feishu (Lark) / Bitable: notify.example.js shows where you would put tokens. Only copy secrets into notify.js after auditing it. If you add app tokens, the skill will send data externally — review and limit what is sent.
- Run in isolation: consider running in a dedicated environment (VM/container) to reduce risk of browser remote-control or accidental data leakage.
- Safety improvements: ask the author for a complete package.json, explicit list of required env vars in metadata, and a note about binding remote-debugging to localhost. If you cannot get that, treat the skill as requiring manual vetting before use.
Overall: the project appears to do what it says, but the metadata/documentation mismatches and the operational choices (remote debugging, persistent sessions, incomplete declared dependencies) are reasons to review and harden it before deploying on a sensitive host.
功能分析
Type: OpenClaw Skill
Name: xhs-monitor
Version: 1.0.1
The skill bundle implements a Xiaohongshu (Red) scraper using Puppeteer with several high-risk configurations, including disabling the browser sandbox ('--no-sandbox') and managing persistent user sessions via 'userDataDir' (found in daemon.js and scraper.js). It utilizes shell scripts (run.sh) and a custom scheduler (scheduler.js) to execute node processes and manage browser instances via remote debugging ports (9223). While these capabilities are plausibly required for the stated purpose of automated competitor monitoring and session persistence, the use of insecure browser flags and broad file system access for session data constitutes a significant security risk without further isolation.
能力评估
Purpose & Capability
The code (scrapers, parser, dedupe, Feishu notifier) is consistent with the skill description. However the metadata/requirements are incomplete: SKILL.md/metadata only declare installing puppeteer-core and require PATH, while the code uses puppeteer-extra, puppeteer-extra-plugin-stealth and expects CHROMIUM_PATH/XHS_DATA_DIR/DEBUG_PORT environment variables. That discrepancy means the declared requirements do not fully reflect what the skill actually needs to run.
Instruction Scope
Instructions and scripts tell the agent to launch Chrome with remote debugging, keep the browser user-data-dir open, run node main.js, and write history/data files locally. The skill does not try to read unrelated system files, nor does it contain hidden remote endpoints, but exposing Chrome's remote debugging port and keeping browser session data on disk are operational risks (possible remote control of the browser if the debug port is reachable, long-lived session data stored locally).
Install Mechanism
The skill is instruction-only (no automated install), and SKILL.md suggests npm install puppeteer-core. The runtime code also requires puppeteer-extra and stealth plugin, but those are not declared in the install metadata. There are no downloads from arbitrary URLs, which is good, but the declared install list is incomplete and may leave missing dependencies if followed exactly.
Credentials
Declared required env vars only list PATH, but the code/instructions rely on CHROMIUM_PATH, XHS_DATA_DIR, and DEBUG_PORT. notify.example.js references Feishu (Lark) tokens and BITABLE_CONFIG (app_token/table_id) — these are optional but, if provided, would permit external notification and data upload. No primary credential is defined in metadata; adding Feishu credentials would grant external network access for notifications. The skill asks for persistent local storage (data/history.csv, user-data-dir) which may contain session/auth artifacts.
Persistence & Privilege
always: false and the skill is user-invocable; it does not demand forced always-on inclusion. It can run as a daemon/scheduler and writes its own data under the project data directory, but it doesn't modify other skills or system-wide agent settings. This is expected for a monitoring tool.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xhs-monitor - 安装完成后,直接呼叫该 Skill 的名称或使用
/xhs-monitor触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- 文档新增了 ClawHub 一键安装方式,提升安装便捷性
- 安装、配置流程更清晰,分步说明优化
- 其余核心功能与用法保持不变
v1.0.0
- Initial release.
元数据
常见问题
小红书竞品监控助手 是什么?
小红书竞品监控 - 自动采集竞品笔记,推送飞书通知,写入数据看板. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 305 次。
如何安装 小红书竞品监控助手?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xhs-monitor」即可一键安装,无需额外配置。
小红书竞品监控助手 是免费的吗?
是的,小红书竞品监控助手 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
小红书竞品监控助手 支持哪些平台?
小红书竞品监控助手 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 小红书竞品监控助手?
由 Roy(@cstdr)开发并维护,当前版本 v1.0.1。
推荐 Skills