← Back to Skills Marketplace
801
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install xpr-creative
Description
Provides AI tools to generate and deliver creative content including rich markdown, PDFs, CSVs, AI-generated images, videos, web media, and GitHub repositories.
Usage Guidance
Before installing, get answers to these specific questions from the skill author and take precautions: (1) Which environment variables does the skill actually require? The code uses PINATA_JWT and PINATA_GATEWAY and likely needs a GitHub token — these should be listed in the manifest and SKILL.md. (2) Understand where content is published: Pinata pins are effectively public on IPFS and create_github_repo makes public repos — do not allow the skill to upload private or sensitive data. (3) Limit token scope: if you provide a Pinata or GitHub token, restrict its permissions and use a throwaway/sandbox account when testing. (4) Ask for documentation on create_github_repo behavior (repo visibility, naming, and whether it includes credentials). (5) If you cannot validate the above, run the skill in a restricted/sandbox environment or decline to provide secrets. Finally, consider requesting the author to update skill.json and SKILL.md to explicitly declare required env vars and the privacy implications of IPFS and public repos before enabling autonomous use.
Capability Analysis
Type: OpenClaw Skill
Name: xpr-creative
Version: 1.0.0
The skill is classified as suspicious due to several high-risk capabilities that, while potentially part of its stated purpose, introduce significant vulnerabilities. The `store_deliverable` tool allows downloading content from arbitrary `source_url`s, and the PDF generation process downloads images from URLs embedded in markdown, posing an SSRF (Server-Side Request Forgery) and resource exhaustion risk. Additionally, the `create_github_repo` tool can create public repositories with arbitrary file content, which could be exploited for data exfiltration if a compromised agent is tricked into uploading sensitive local files (e.g., environment variables, SSH keys) to a public GitHub repository. These are vulnerabilities that could be leveraged by prompt injection or other means, rather than direct malicious intent within the skill's code.
Capability Assessment
Purpose & Capability
The declared purpose (generate deliverables, upload to IPFS, create GitHub repos) matches the code and instructions: it downloads images, builds PDFs, can upload JSON/binaries to Pinata, and can create public GitHub repos. However, the skill.json and SKILL.md declare no required environment variables or credentials even though the code uses PINATA_JWT (and the create_github_repo tool will need GitHub auth in practice). That undeclared credential requirement is an inconsistency to be resolved.
Instruction Scope
SKILL.md instructs the agent to generate images/videos and upload them to IPFS, embed web images into PDFs, and create public GitHub repos. Those steps are within the stated purpose. Points to watch: the instructions insist uploads happen (IPFS) and insist on delivering actual content (not just URLs), which means potentially large uploads and public publication of user data; the SKILL.md does not tell users that uploads go to Pinata (or require a Pinata token) or that repos will be public.
Install Mechanism
No external install or remote downloads are specified; this is an instruction-and-bundled-code skill so nothing is fetched at install time. The runtime performs network calls (fetch) but there is no risky install mechanism in the manifest.
Credentials
skill.json.requires.env is empty and SKILL.md lists no required credentials, yet the code calls process.env.PINATA_JWT and process.env.PINATA_GATEWAY (and will need GitHub credentials to create repos). PINATA_JWT is a powerful secret that allows pinning arbitrary content to Pinata (public IPFS pinning). Requesting such secrets is proportionate to IPFS uploads, but the omission from the manifest and documentation is a red flag. The skill may attempt to upload user content to a public IPFS gateway or create public repositories — both can expose sensitive data if used with broad-scoped tokens.
Persistence & Privilege
The skill does not request always: true and does not declare modifying other skills or system-wide config. It stores deliverables in an in-memory Map (no persistent disk writes in the provided code excerpt). Autonomous invocation is allowed (the platform default); combined with the credential issues above this increases blast radius, but autonomous invocation alone is expected.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xpr-creative - After installation, invoke the skill by name or use
/xpr-creative - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
4 tools: AI image/video generation (Replicate), IPFS upload, PDF creation, GitHub repos
v0.2.11
- Expanded SKILL.md with full documentation of creative deliverable tools.
- Clarified usage for deliverables: Markdown, PDF (with image embedding), CSV, and media.
- Added instructions for AI-generated image and video workflow via evidence_uri.
- Included steps for handling external media and code repositories.
- Emphasized delivering actual content, not just links or descriptions.
Metadata
Frequently Asked Questions
What is XPR Creative?
Provides AI tools to generate and deliver creative content including rich markdown, PDFs, CSVs, AI-generated images, videos, web media, and GitHub repositories. It is an AI Agent Skill for Claude Code / OpenClaw, with 801 downloads so far.
How do I install XPR Creative?
Run "/install xpr-creative" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is XPR Creative free?
Yes, XPR Creative is completely free (open-source). You can download, install and use it at no cost.
Which platforms does XPR Creative support?
XPR Creative is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created XPR Creative?
It is built and maintained by paulgnz (@paulgnz); the current version is v1.0.0.
More Skills