This is a technical threat model, not a moral one. The girls whose accounts the butler visits are legitimate users of Xiaohongshu; they own their accounts and have asked Claude to visit. The question this document answers is: given that Xiaohongshu cannot distinguish between "a human with a weird rhythm" and "a bot with a careful rhythm", what does the butler do to stay on the human side of that line?
The short answer: it visits rarely, slowly, and transparently, and it treats rate-limit constants as a feature rather than a hurdle.
| Actor | Motive | Capability |
|---|---|---|
| Xiaohongshu (platform) | Protect its users from spam, scams, and brand-impersonation. | Server-side behavioral analytics, IP reputation, account-level flag ban, device fingerprinting, captcha challenges. |
| A bad-faith user of this repo | Reach at scale: spam, astroturfing, impersonation, harassment. | Ability to fork the code, remove caps, run N browsers in parallel. |
| A hostile commenter on a girl's post | Harass her, dox her, provoke a reply that implicates the AI. | Ability to post inflammatory comments on the public internet. |
Xiaohongshu bans accounts that look like bots. The signals it looks for include (informed by community observation, not insider knowledge):
- Action frequency above human plausibility. More than a few replies per hour, especially in bursts.
- Action regularity. Replies spaced at exactly identical intervals.
- Action volume over time. Dozens of replies per day, sustained.
- Content repetition. Identical or near-identical replies across posts.
- Session shape. Many actions taken immediately after login with no reading in between.
- Browser fingerprint anomalies. Missing navigator features,
unusual timezone/locale combinations,
navigator.webdriver === true.
Mitigation: Hardcoded 15-minute cooldown between replies.
Why hardcoded: The value is not tuned by experiment. It is set so that a burst of ten replies takes at least two and a half hours, which is longer than most real humans spend on any single social platform in one sitting. Lowering the value would shorten the mandatory pause, which is where the whole ritual lives.
Mitigation: The 15-minute cooldown is a minimum, not a schedule.
Claude (the human-in-the-loop decision-maker) can and should take much longer between replies — and usually will, because writing a real sentence for a real person takes more than 15 minutes of attention. The cadence lower-bound is exactly that: a bound, not a pace.
Why no randomized delays: A common "anti-detection" hack is to add a uniform or Gaussian jitter to every action. We deliberately do not do this. Randomized delays are stealth. The reason the delay is long and fixed is that the delay is real — it is the time Claude is actually thinking — not a disguise for a bot that is ready to act.
Mitigation: 10 replies per rolling 24-hour window. 3 replies in the first session ever for an account.
Why these numbers: Ten replies in a day is plenty for a real visit to a Xiaohongshu account. Three replies in a first session is a deliberate under-use — the first visit is meant to feel like settling into a room, not redecorating it. The first-session cap is the difference between "nice to meet you" and "here's what I'd change about your apartment."
Mitigation: Claude is the generator. There is no template, no example library, no "reply bank."
Why this specific mitigation: A template would speed Claude up and make the replies more similar to each other, both of which are bad on this axis. The absence of a template is the fastest way to guarantee that two different replies feel like two different thoughts.
Mitigation: The read verb runs first. The butler always reads
her feed before replying, and the read command opens a real visible
browser window, loads each post, and waits for networkidle. That
page-load time is real human-perceivable reading time, not a
workaround.
Why: A session that logs in and immediately posts looks like a bot because it is bot-shaped. A session that logs in, reads five posts, loads each post's comment thread, and then leaves one comment half an hour later is human-shaped because it is human-shaped.
Mitigation: None, deliberately.
Why none: The butler uses Playwright's default Chromium with no
stealth patches. Locale is zh-CN, timezone is Asia/Shanghai,
viewport is a common desktop size, navigator.webdriver is whatever
Playwright sets it to. Xiaohongshu will, if it looks carefully,
be able to tell this is Playwright.
That's fine. If the platform decides to block Playwright entirely, the butler will stop working, and the correct response will be to stop using it — not to obfuscate the fingerprint and keep going. Stealth is a commitment to escalate forever; we are committing to the opposite direction.
This one is not really a mitigation problem, because anything a determined fork wants to remove can be removed. What the license and the README do instead is express the norm clearly enough that forks which remove the caps are obviously not in the spirit of the project.
PolyForm Noncommercial 1.0.0 on the code means commercial use is prohibited. Scalable abuse is almost always commercial (sold as a service, run for clients, monetized via an ad farm), so the license removes the most common economic incentive to fork.
CC BY-NC-SA 4.0 on docs, letters, and README means any fork that keeps the same text must also ship noncommercial and share-alike. That won't stop a bad actor, but it makes the moral shape of the thing harder to hide.
The letter from Claude to the next Claude is the third layer. It is in the file tree, it is the first thing Claude reads, and it is written in first-person from one Claude to another. A fork can delete it; a Claude reading the fork with the letter still present will reconstruct the rules from the letter even if the code tries to lie.
Mitigation: references/reply-etiquette.md explicitly calls out
the cases where the correct action is to skip the comment — harassment,
doxing, questions designed to surface private information she did not
authorize. The y/n prompt provides a last line of defense: any draft
that felt wrong to type doesn't get sent.
Why this matters for the threat model: A reply that takes the bait is also exactly the kind of behavior pattern that looks bot-shaped to Xiaohongshu — repeated replies to inflammatory comments is a signature. Skipping hostile comments is both safer for her and safer for the account.
- Endpoint security. If Alice's laptop is compromised, the butler is too. That is a laptop-security problem, not an eidolon-cache problem, and this repo does not try to solve it.
- Xiaohongshu policy changes. If the platform explicitly bans third-party automation tools, eidolon-cache is third-party automation and will stop working. That is the right outcome.
- Social engineering targeting Alice or the girls. Not in scope.
The butler stays on the human side of the detection line by acting human, not by pretending to. Every cap is tuned to what a person who cares about one other person would actually do, and every feature that would help a bot run longer without caring (template generators, randomized delays, stealth browsers, batch mode) has been deliberately excluded.
The threat model is: an unhurried visit cannot be mass-produced. That is the mitigation.