xhs-note-creator

[Skill Scanner] Installation of third-party script detected The project legitimately focuses on authoring and rendering Xiaohongshu-style notes to images. The primary security concern is the publishing workflow: it instructs users to provide full browser session cookies (XHS_COOKIE) and to install an unverified third-party package ('xhs') to perform authenticated uploads. These operational choices create meaningful supply-chain and credential-exfiltration risk even though the provided fragment contains no overt malware. Before using the publish feature, inspect publish_xhs.py and the 'xhs' package source, prefer scoped/API-based auth, and add safeguards against credential leakage. LLM verification: The repository's rendering functionality is consistent with its stated purpose and is low-risk when used offline and with inspected local scripts. However, the documented publish workflow requires copying a raw browser session cookie and installing an unpinned third‑party package (`xhs`), creating a significant supply‑chain and credential exposure risk. Without reviewing publish_xhs.py and the `xhs` package code and endpoints, treat publishing as suspicious/high-risk. Recommend removing guidance