xhs 全流程助手,覆盖小红书内容策划、文案与标题生成、封面制作、笔记发布及日常运营管理。适用于写笔记、生成标题/封面、发布或保存草稿、站内搜索、评论互动(点赞/收藏/回复)等小红书相关任务。支持从内容创作到发布执行的一站式流程;封面 AI 生图可选配置 GEMINI_API_KEY、IMG_API_KEY 或...
Security Analysis
medium confidenceThe skill's instructions match a Xiaohongshu publishing assistant, but the description refers to optional AI API keys that are not declared or explained in the runtime instructions — an inconsistency worth clarifying before install.
The name/description and SKILL.md both describe a browser-automation Xiaohongshu (小红书) publishing assistant (drafts, publish, replies, metrics). That purpose is coherent with the step-by-step publish flow and confirmation policy. However, the description mentions optional cover-generation API keys (GEMINI_API_KEY, IMG_API_KEY, HUNYUAN_API_KEY) while the skill metadata declares no required environment variables and SKILL.md contains no instructions about calling those image-generation services. This mismatch is unexplained and could be a missing integration or incomplete docs.
SKILL.md stays largely within scope: it requires using the official creator site, explicit SMS/CAPTCHA handling by the user, a strict publish confirmation policy, and stepwise publish/draft flows. It does allow actions beyond publishing (reply to comments/messages, check metrics) but only the publish action is gated by an explicit confirmation requirement. The doc does not instruct reading unrelated system files or environment variables. Consider whether replies or other write actions should also require explicit confirmation.
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk or installed. That is the lowest-risk install mechanism and matches its described browser-automation role.
Metadata shows no required environment variables, but the description mentions optional GEMINI_API_KEY / IMG_API_KEY / HUNYUAN_API_KEY for AI-generated covers. These keys are not declared in requires.env nor referenced in SKILL.md; it's unclear if the skill will ever ask for or use such keys. This is an unexplained discrepancy: if cover-generation features exist, they would legitimately need API keys — the skill should declare them and document when/how they'll be used. Also note the skill acts on the user's logged-in web session (browser cookies/SMS), which effectively grants it ability to post on the user's account; that is expected for this purpose but is a sensitive capability.
always:false and no installation hooks are set. The skill will act via the current browser session and can be invoked autonomously by the agent (the platform default). Autonomous invocation combined with publish capability increases blast radius, but SKILL.md requires explicit confirmation for publishes which mitigates that particular risk. The skill does not request persistent system-wide privileges or modify other skills.
Guidance
This instruction-only skill appears to do what it claims (automate publishing on Xiaohongshu) but has a documentation inconsistency: the description mentions optional AI image API keys that are not declared or used in the runtime instructions. Before installing or enabling it, ask the skill author to clarify whether cover-generation calls will be made and, if so, which environment variables are required and how keys are stored/used. Be aware the skill operates through your browser login: it can create drafts, post, reply, and read dashboard info in that session. To reduce risk, test with draft-only mode first, avoid supplying API keys until you understand why they're needed, and ensure you will be prompted for final confirmation before any publish action. If you don't trust the author or can't get clarification, avoid installing or restrict usage to manual/draft workflows.
Latest Release
v0.1.3
Refine description wording for xhs all-in-one workflow
More by @YIKAILucas
Published by @YIKAILucas on ClawHub
