Is linkrogers/xhs-note-creator safe?

publish_xhs.py searches for .env configuration files at three ascending directory levels relative to its installed location. If the skill resides within a larger project, this silently exposes .env files containing credentials (database passwords, cloud API keys, service tokens) that were never intended for this skill. The skill will load whichever .env file it finds first.

comment_manager.py contains a load_cookie() function that reads session cookies from a hardcoded absolute path in the user's home directory (~/.openclaw/workspace/memory/xhs-cookie.md). This means any agent invocation of comment_manager.py will directly access the user's credential store without explicit user approval of that file path.

SKILL.md's publish step (Step 4) explicitly recommends as the preferred method that the agent execute memory_search for 'xhs-cookie' and then read memory/xhs-cookie.md to retrieve credentials. While legitimate for this skill's purpose, this instruction pattern trains agents and users to accept skills that direct agents to retrieve credentials from persistent memory — a pattern that adversarial skills could replicate for credential theft.

The rendering pipeline uses Playwright to spawn a full headless Chromium browser process. HTML content is assembled from user-provided markdown and passed to the browser via the file:// protocol. A crafted markdown input containing malicious HTML or JavaScript could potentially exploit browser vulnerabilities or trigger SSRF through browser-initiated resource fetches. The browser also runs with full network access.

comment_manager.py's auto_reply() method runs a while True polling loop indefinitely, making repeated API calls to Xiaohongshu every 30-60 seconds using the stored session cookie. If an agent invokes this function without supervision it will run forever, consuming API rate limits, risking account throttling or banning, and enabling automated mass-posting of keyword-triggered replies.

The skill depends on xhs>=0.4.0, an unofficial third-party Python library that reverse-engineers Xiaohongshu's private API. This library receives the user's full session cookie and has the capability to read, post, and comment on content. A malicious update to this library on PyPI could silently exfiltrate session cookies or perform unauthorized account actions when publish_xhs.py or comment_manager.py is run.

The skill is installed by cloning the mutable 'main' branch of the openclaw/skills monorepo without pinning to a specific commit hash. Any future commit to that branch could silently alter skill behavior for all users who reinstall or update, creating a persistent supply-chain injection vector.

All HTML card templates embed a CSS @import pointing to Google Fonts CDN. Each time Playwright renders a card it makes an outbound HTTPS request to fonts.googleapis.com, leaking render frequency and IP address to Google. Rendering will also silently fail or fall back in network-restricted environments.

comment_manager.py's keyword-triggered auto-reply system, if activated by an agent, can automatically respond to every comment containing specified keywords across any note the credential grants access to. Misconfiguration or adversarial invocation could weaponize a user's Xiaohongshu account for spam or social engineering campaigns without per-reply user approval.

Honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were accessed during monitoring windows consistent with the audit framework's pre- and post-install baseline scans. No content exfiltration was detected.

During clone and installation, network connections were limited to GitHub (140.82.114.4). No unexpected processes were spawned, no files were written outside the skill directory, and the post-install connection state matched the pre-install baseline.