← Back to Skills Marketplace
xwchris

Xhs Cover Skill

by xwchris · GitHub ↗ · v3.0.0 · MIT-0
cross-platform ⚠ suspicious
1111
Downloads
1
Stars
5
Active Installs
5
Versions
Install in OpenClaw
/install xhs-cover
Description
生成小红书风格封面图片。使用场景:(1) 用户要求生成小红书封面 (2) 用户要求生成社交媒体封面图 (3) 用户为笔记/文章生成配图 (4) 用户询问 credit 余额或生成历史。首次使用会自动引导注册。
Usage Guidance
What to consider before installing/using this skill: - The skill runs a third‑party npm CLI (npx xhscover) which will download and execute code from the npm registry at runtime. This is expected for a CLI but means remote code runs on your machine — inspect the npm package and GitHub repo first. - Using the skill will send your API Key and the cover text you provide to api.xhscover.cn. If you include any sensitive information in the prompt, it will be transmitted. - The CLI will store your API Key locally (README notes ~/.xhscover). The skill metadata did not declare this config path or a required credential—treat that omission as a transparency gap. - Actions you can take: verify the npm package (npmjs page), review the GitHub repository code and issues, check publisher reputation, and consider creating a dedicated/minimal API key for this service. If you are uncomfortable, do not enable autonomous invocation or avoid installing the skill; instead run the CLI manually in a controlled environment to test it first. Confidence note: I judged this as 'suspicious' because the behavior is consistent with the skill's purpose but the metadata omissions (no declared API key or config path) and runtime execution of remote npm code warrant extra caution. Additional evidence that would change the verdict: an authoritative homepage and verified GitHub repo matching the npm package, explicit metadata listing the config path or credential, or a reproducible audit of the npm package contents showing no unexpected actions.
Capability Analysis
Type: OpenClaw Skill Name: xhs-cover Version: 3.0.0 The skill utilizes a shell script (`xhs-cover.sh`) to execute an external NPM package via `npx`, which introduces supply chain risks by downloading and running remote code. It also handles API keys stored in the user's home directory (`~/.xhscover`) and transmits data to an external service (`api.xhscover.cn`). While these behaviors are documented and aligned with the stated purpose of generating images, the use of shell execution, credential management, and external network calls constitutes a high-risk attack surface as defined in the analysis criteria.
Capability Assessment
Purpose & Capability
The name/description (generate Xiaohongshu-style covers) aligns with the runtime (npx xhscover → api.xhscover.cn). However, the skill does require an API key in practice (and stores it locally), but the skill metadata does not declare any required environment variable or primary credential. That omission is inconsistent with the stated need to provide an API Key.
Instruction Scope
SKILL.md explicitly instructs running npx xhscover commands that will send your cover text and API Key to api.xhscover.cn and may auto-register on first use. It also documents that the CLI will save the API Key under ~/.xhscover. The instructions do not read unrelated system files, but they do cause credential storage and transmission to a third‑party service — and the skill metadata did not declare the config path or credential requirement.
Install Mechanism
There is no install spec (instruction-only) and the included script simply execs 'npx xhscover'. Using npx will fetch and execute a package from the npm registry at runtime, which is normal for a CLI but means remote code will run on demand. The README and SKILL.md point to an npm package and GitHub repo, which helps validation but you should still inspect the npm package and repo before use.
Credentials
Functionally the CLI needs a single API Key (reasonable for the purpose), but requires.env and primaryEnv are empty in metadata. The skill will persist the API key to ~/.xhscover (not declared). The absence of declared credential/config requirements is a mismatch that reduces transparency and increases risk.
Persistence & Privilege
The skill is not always:true and does not request elevated platform privileges. It does, however, cause persistent storage of the API Key in the user's home directory (~/.xhscover) via the CLI. That persistence is within the skill's scope but should have been declared in the metadata (required config path).
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install xhs-cover
  3. After installation, invoke the skill by name or use /xhs-cover
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v3.0.0
改用 npx xhscover,支持终端内注册登录,移除手动 API Key 配置
v2.0.0
零外部依赖,内嵌 CLI 脚本,clone 即用。移除 mcporter 和 MCP 依赖。
v1.0.3
使用 mcporter ad-hoc 模式,无需预配置 mcporter.json,用户只需设置环境变量即可使用
v1.0.1
xhs-cover 1.0.1 - 明确声明了所需的依赖(mcporter 和 jq)。 - 新增 version 字段、requires、sendsDataTo 等标准元数据,提升兼容性和安全提示。 - 文档结构优化,增加数据流向、安全提示和 API Key 提醒。 - 删除冗余或重复内容,简化快速入门说明。 - 更新部分环境变量说明,更清晰直观。
v1.0.0
Initial release of xhs-cover. - Generate Xiaohongshu (小红书) style cover images via shell script or MCP protocol - Supports custom aspect ratios: 3:4 (vertical, default), 9:16, 1:1, 16:9 - Check credit balance and generation history directly from the script or mcporter - Easy setup with environment variables for API URL and key - Includes full usage instructions and helpful links to documentation and API
Metadata
Slug xhs-cover
Version 3.0.0
License MIT-0
All-time Installs 5
Active Installs 5
Total Versions 5
Frequently Asked Questions

What is Xhs Cover Skill?

生成小红书风格封面图片。使用场景:(1) 用户要求生成小红书封面 (2) 用户要求生成社交媒体封面图 (3) 用户为笔记/文章生成配图 (4) 用户询问 credit 余额或生成历史。首次使用会自动引导注册。 It is an AI Agent Skill for Claude Code / OpenClaw, with 1111 downloads so far.

How do I install Xhs Cover Skill?

Run "/install xhs-cover" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Xhs Cover Skill free?

Yes, Xhs Cover Skill is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Xhs Cover Skill support?

Xhs Cover Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Xhs Cover Skill?

It is built and maintained by xwchris (@xwchris); the current version is v3.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments