← 返回 Skills 市场
luweizheng

xhs-auto

作者 Weizheng Lu · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
495
总下载
1
收藏
3
当前安装
1
版本数
在 OpenClaw 中安装
/install xhsauto
功能描述
小红书自动化发布流程,串联主题输入、图像生成、文案草拟与 debug 发布校验。
安全使用建议
This skill appears to implement the advertised Xiaohongshu automation flow, but it expects you to provide model gateway API keys (GOOGLE/GEMINI or SEED) even though the registry metadata doesn't declare them. Before installing: (1) Review and be comfortable with the included scripts (they are plain Bash/Python and call external API endpoints). (2) Understand that any prompt text and any base images you pass to the tool will be uploaded to the configured external gateway (so avoid sending sensitive/private images or text). (3) Only provide API keys with limited scope or dedicated/test keys, and consider using a proxy/gateway you control. (4) Verify trustworthiness of xhs-kit (pip package) before granting publish credentials for real posting. (5) Test in a sandbox or VM, and use the documented debug-publish mode (which claims not to perform an actual publish) before attempting a real publish. The primary issue is transparency about required credentials — correct that omission or proceed only after accepting the privacy/network implications.
功能分析
Type: OpenClaw Skill Name: xhsauto Version: 1.0.0 The skill bundle's stated purpose is benign, but the `scripts/xhs-image.sh` and `scripts/xhs-image.py` files contain several vulnerabilities that could be exploited via prompt injection against the OpenClaw agent. Specifically, both scripts allow writing to arbitrary file paths via the `--output` argument and reading arbitrary files via the `--base-image` argument, posing risks of arbitrary file write and information disclosure. Additionally, `xhs-image.sh` is vulnerable to shell injection if the `--base-image` argument contains shell metacharacters, as it's directly used in a `curl` command without proper sanitization. While there's no evidence of intentional malicious behavior (e.g., hardcoded exfiltration domains), these critical vulnerabilities make the skill bundle suspicious.
能力评估
Purpose & Capability
Name/description match the included scripts and the xhs-kit publishing flow. Requested binaries (bash, curl, jq, base64, xhs-kit) are appropriate. However, the registry metadata declares no required environment variables while both scripts and documentation require sensitive API keys (GOOGLE_API_KEY/GEMINI_API_KEY and/or SEED_API_KEY). That undeclared credential requirement is an incoherence.
Instruction Scope
SKILL.md instructs the agent to generate text and images, save outputs under ${workspace}/xhs-auto/{timestamp}, and call xhs-kit debug-publish — all within the stated purpose. The scripts will read environment variables for API keys and will transmit prompts and (for edit mode) image bytes to external OpenAI-compatible endpoints; this is expected for image generation but means user-supplied images or prompts will be sent off-host.
Install Mechanism
No install spec (instruction-only skill) and included code files are local. Nothing in the manifest pulls arbitrary remote installers or archives. The README suggests installing public packages (pip, playwright) which is normal.
Credentials
The skill requires API keys for external model gateways (Google/Gemini or ByteDance Seed) but the registry lists no required env vars. Those keys are sensitive and will be used to make external network calls; the omission from the declared requirements is a mismatch and reduces transparency. xhs-kit may also require login credentials for real publishing (not needed for debug), which the docs mention.
Persistence & Privilege
The skill does not request always: true and does not modify other skills. It writes outputs into a workspace subdirectory (documented) and does not request system-wide privileges.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install xhsauto
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /xhsauto 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
xhs-auto 1.0.0 - 支持自动化小红书内容发布流程,包括主题输入、图片生成、文案草拟与内容校验。 - 如果用户未提供图片,自动根据主题和文案生成生图 Prompt 并调用脚本生成图片。 - 生成的内容(标题、正文、图片路径等)自动整理输出到指定目录。 - 调用小红书自动发布工具 xhs-kit 的接口进行内容合规校验。 - 支持跨平台使用。
元数据
Slug xhsauto
版本 1.0.0
许可证
累计安装 3
当前安装数 3
历史版本数 1
常见问题

xhs-auto 是什么?

小红书自动化发布流程,串联主题输入、图像生成、文案草拟与 debug 发布校验。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 495 次。

如何安装 xhs-auto?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install xhsauto」即可一键安装,无需额外配置。

xhs-auto 是免费的吗?

是的,xhs-auto 完全免费(开源免费),可自由下载、安装和使用。

xhs-auto 支持哪些平台?

xhs-auto 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 xhs-auto?

由 Weizheng Lu(@luweizheng)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论