← Back to Skills Marketplace
730
Downloads
0
Stars
3
Active Installs
2
Versions
Install in OpenClaw
/install xmind-skill
Description
Generate and read XMind (.xmind) files via the published xmind-generator-mcp MCP server (npm), with a chat-first UX.
Usage Guidance
This skill appears to do what it says, but proceed cautiously. Key points to consider before installing/using:
- Runtime npm execution: The skill runs `npx -y [email protected]`, which downloads and executes package code from the npm registry each time. That is expected for this use case but is a supply‑chain risk. Prefer to verify the package contents and publisher before allowing the agent to run it.
- No upstream/source info: The skill metadata lists no source repository or homepage. That makes it harder to audit the MCP package. Look up the npm package ([email protected]) yourself and inspect its repository, maintainers, and recent changes.
- Implicit environment/use of env vars: The SKILL.md mentions an MCP-configured outputPath environment variable but the skill declares no env vars. Verify what outputPath the MCP will use in your environment so files are not written to unexpected locations.
- Local file access & chat attachments: The skill will write temp files (/tmp) and may save to ~/Desktop and then send the generated .xmind back in chat. If you have sensitive data on the system, be aware the package you run could read more of the filesystem if malicious.
- Mitigations: Run this in a sandboxed environment or container, inspect the npm package source, pin the package to a vetted version, or ask the publisher for a source repo before using. If you cannot verify the npm package or maintainers, treat this skill as higher risk.
Capability Analysis
Type: OpenClaw Skill
Name: xmind-skill
Version: 0.1.1
The skill bundle is designed to generate and read XMind files using a specified npm package (`[email protected]`) via `npx`. The `SKILL.md` provides clear instructions for the AI agent on how to interact with the MCP server, handle user input (language, filenames, content), and manage file operations (saving to `~/Desktop` or `/tmp`). There are no instructions for data exfiltration, persistence, unauthorized remote control, or any other malicious activities. The inclusion of filename sanitization rules is a positive security practice. While potential vulnerabilities could arise from the agent's implementation of user input sanitization when converting to JSON, the skill's instructions themselves do not exhibit malicious intent.
Capability Assessment
Purpose & Capability
Name/description match the required binaries and runtime behavior: mcporter is used to call an MCP and npx is used to run the npm package [email protected]. Requiring mcporter and npx is coherent for invoking a remote MCP service that produces .xmind files.
Instruction Scope
The SKILL.md stays within the stated purpose (construct JSON, write a temp file, call the MCP, return the .xmind to the user). It instructs writing JSON to /tmp and defaulting output to ~/Desktop, and to send generated files back via chat. Two issues: (1) it references an MCP-configured outputPath environment variable ('see below') but the skill declares no env vars—this is an internal inconsistency; (2) runtime use of 'npx -y' means code will be downloaded and executed from the npm registry at call time (supply‑chain/execution surface).
Install Mechanism
There is no install spec (instruction-only), but runtime execution relies on npx which will fetch and run [email protected] from the npm registry each time. This is expected for this functionality but is a moderate supply‑chain risk because arbitrary package code may run locally when invoked.
Credentials
The skill declares no required environment variables or credentials (which is reasonable). However the documentation references a MCP-configured outputPath environment variable without declaring it, and the MCP may honor environment variables not described here. Also the skill will read/write local paths (/tmp, ~/Desktop) and return files via chat—users should be aware that local files will be accessed and transmitted. The lack of declared upstream source/homepage for the npm package reduces transparency and increases risk.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not require persistent installation. It will create temporary JSON files and may write .xmind files to Desktop or the MCP's outputPath; this is expected for the stated functionality.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xmind-skill - After installation, invoke the skill by name or use
/xmind-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.1
Docs: translate SKILL.md to English
v0.1.0
Initial release: generate/read XMind via xmind-generator-mcp MCP server
Metadata
Frequently Asked Questions
What is xmind?
Generate and read XMind (.xmind) files via the published xmind-generator-mcp MCP server (npm), with a chat-first UX. It is an AI Agent Skill for Claude Code / OpenClaw, with 730 downloads so far.
How do I install xmind?
Run "/install xmind-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is xmind free?
Yes, xmind is completely free (open-source). You can download, install and use it at no cost.
Which platforms does xmind support?
xmind is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created xmind?
It is built and maintained by Ben Zhang (@bangyizhang); the current version is v0.1.1.
More Skills