想知道小红书哪些账号涨粉最猛?这款技能帮你追踪日榜/周榜/月榜涨粉数据,数据都是人工一个个账号比对校验出来的,覆盖全品类,还能一键生成好看的排名图!
Security Analysis
high confidenceThe skill mostly does what it claims (fetch rankings and generate images) but contains inconsistencies and risky network behavior: it calls an opaque third‑party endpoint using a custom HTTPS client that disables certificate verification and suppresses SNI, and it references push/email APIs that require credentials not declared in the skill metadata.
Name/description match the code's functionality (query rankings, generate images, export/subscribe). However the README claims data is "manually validated / no crawling / no API access", while query_rankings.py calls a remote API endpoint (https://onetotenvip.com/...) to fetch data. That claim about 'no API access' is therefore false or misleading.
SKILL.md instructs running the included scripts, which perform network requests to an external domain to fetch data and include push functionality (email/WeChat). The docs promise '无需 API 接入' but the runtime instructions and scripts clearly perform outbound network calls and support push integrations—this is scope creep / a documentation mismatch. The scripts also write local files (subscriptions.json) and copy outputs to the user's Desktop.
There is no install spec (instruction-only), which minimizes install-time risk, but the skill includes multiple Python scripts that will run on the host when invoked. No third‑party binary downloads or installers are present.
Registry metadata declares no required environment variables or primary credential, yet delivery_service.py expects SMTP credentials and wechat appid/appsecret to send push messages; subscription/payment docs also imply integration with payment callbacks. Required sensitive credentials are not declared in the skill metadata, a mismatch that could lead to unexpected credential usage if the user provides them later.
always:false and the skill does not request elevated agent privileges. It does create and update local files (subscriptions.json) and attempts to copy generated outputs to ~/Desktop, which is expected for this functionality but is persistent file system activity the user should be aware of.
Guidance
Before installing or running this skill: 1) Be cautious about network calls — the scripts contact an external domain (onetotenvip.com) with TLS verification disabled and SNI suppressed; ask the author why this is necessary and verify the endpoint's reputation. 2) Expect the skill to write files (subscriptions.json) and copy outputs to your Desktop. 3) The skill can send emails/WeChat messages and thus will need SMTP credentials and WeChat appid/secret — these are not declared in the metadata; do not provide credentials unless you trust the code and operator. 4) If you want to proceed, run it in an isolated/sandboxed environment, review the full source, and request the developer to: (a) remove or justify disabling TLS verification/SNI, (b) declare needed environment variables in metadata, and (c) provide documentation for the data source and its legal/ethical sourcing. If the developer cannot satisfactorily explain the TLS choices and data provenance, avoid providing sensitive credentials or using the skill on production systems.
Latest Release
v1.0.0
xiaohongshu-rankings 1.0.0 – 首发上线! - 提供小红书25大类账号的日榜/周榜/月榜涨粉排行及涨粉率,全部数据人工校验,准确可靠 - 支持一键生成小红书风格精美榜单图片,适合直接发小红书、朋友圈、公众号 - 支持榜单数据导出为 Excel 文件,方便二次分析 - 提供定时榜单订阅推送,满足每日/每周/每月多场景需求 - 脚本化操作与命令行支持,方便批量生成与数据处理 - 上手简单,全面适配 Coze、Skillhub、Clawhub等多平台
Popular Skills
Published by @yuanyi-github on ClawHub
