xhs-cli

SUSPICIOUS. The skill is coherent with its stated Xiaohongshu automation purpose, and installation comes from PyPI with verifiable provenance, so it is not outright malicious. However, it delegates browser-cookie login and all account actions to a personal third-party reverse-engineered CLI and enables autonomous public actions, creating meaningful credential-handling and account-abuse risk.