by 安全扫描
OpenClaw
安全
high confidenceThe skill's instructions, requirements, and actions are coherent with its stated purpose (managing Xiaohongshu login via QR codes and cookie clearing); it requests no credentials, no installs, and only uses reasonable fallback file/display steps.
评估建议
This skill appears internally consistent for QR-based Xiaohongshu login. Before installing, verify you trust the platform connector (MCP) that will actually perform the check/login operations, since the skill delegates to it. Pay attention to the delete_cookies step — it will clear the current session and should only be run after explicit confirmation. If the client falls back to saving the QR to /tmp, be aware the file can be accessible on shared machines; consider using a secure temporary dire...详细分析 ▾
✓ 用途与能力
The name/description match the runtime instructions: checking login status, returning a QR code for scanning, and optionally deleting cookies to switch accounts. The skill does not request unrelated environment variables, binaries, or config paths.
ℹ 指令范围
The SKILL.md only calls three MCP operations (check_login_status, get_login_qrcode, delete_cookies) which align with the purpose. It includes a fallback that writes Base64 image data to /tmp/xhs-qrcode.png and runs platform-specific open commands (open / xdg-open). Writing a temporary file and spawning a viewer process is expected behavior for displaying a QR code, but this does require filesystem and process execution privileges and the fallback file may be world-readable on shared systems. The SKILL.md explicitly requires user confirmation before delete_cookies, which is appropriate.
✓ 安装机制
No install spec or code files are provided (instruction-only), so nothing will be downloaded or written beyond ephemeral runtime artifacts. This is the lowest-risk install profile.
✓ 凭证需求
The skill declares no required environment variables, credentials, or config paths. The operations described (QR generation, status check, cookie deletion) do not appear to need additional secrets from the agent. Note: the SKILL.md relies on an external 'MCP' tool/connector — that tool may itself require credentials or network access, but those are not requested by this skill.
✓ 持久化与权限
The skill is user-invocable (not always: true) and does not request persistent presence or modify other skills or global agent settings. It does not attempt to store its own tokens or alter system-wide configuration.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/3/5
xhs-login v0.1.0 - 初始版本发布,支持小红书扫码登录全流程。 - 检查当前登录状态,显示已登录账号或引导扫码。 - 支持扫码二维码登录,详细说明二维码获取及有效期。 - 提供切换账号与退出登录功能,需用户确认并重新扫码。 - 明确失败处理,包括工具不可用与二维码超时场景指引。
● 无害
安装命令 点击复制
官方npx clawhub@latest install xhs-login
镜像加速npx clawhub@latest install xhs-login --registry https://cn.clawhub-mirror.com
技能文档
执行流程
1. 检查登录状态
调用 check_login_status(无参数),返回是否已登录及用户名。
- 已登录 → 告知用户当前登录账号
- 未登录 → 进入步骤 2
2. 扫码登录
调用 get_login_qrcode(无参数)。MCP 工具返回两部分内容:
- 文本:超时提示(含截止时间)
- 图片:PNG 格式二维码(MCP image content 类型,Base64 编码)
展示二维码:MCP 返回的图片会通过客户端渲染给用户。如果客户端无法直接展示图片(如纯文本终端),则将 Base64 数据保存为临时 PNG 文件,告知用户文件路径让其手动打开:
# fallback: 保存二维码到临时文件
echo "" | base64 -d > /tmp/xhs-qrcode.png
open /tmp/xhs-qrcode.png # macOS
xdg-open /tmp/xhs-qrcode.png # Linux
提示用户:
- 打开小红书 App 扫描二维码
- 二维码有效期有限,过期需重新获取
扫码完成后,调用 check_login_status 确认登录成功。
3. 重新登录 / 切换账号
当用户要求重新登录或切换账号时:
- 调用
delete_cookies(⚠️ 需用户确认)— 清除当前登录状态 - 调用
get_login_qrcode— 获取新二维码 - 引导用户扫码
约束
delete_cookies会清除登录状态,执行前必须确认- 登录需要用户手动用手机 App 扫码,无法自动完成
失败处理
| 场景 | 处理 |
|---|---|
| MCP 工具不可用 | 引导用户使用 /setup-xhs-mcp 完成部署和连接配置 |
| 二维码超时 | 重新调用 get_login_qrcode |
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制