← 返回 Skills 市场

Xhs Cover Skill

Name: Xhs Cover Skill
Author: xwchris

作者 xwchris · GitHub ↗ · v3.0.0 · MIT-0

cross-platform ⚠ suspicious

1111

总下载

当前安装

版本数

在 OpenClaw 中安装

/install xhs-cover

功能描述

生成小红书风格封面图片。使用场景：(1) 用户要求生成小红书封面 (2) 用户要求生成社交媒体封面图 (3) 用户为笔记/文章生成配图 (4) 用户询问 credit 余额或生成历史。首次使用会自动引导注册。

安全使用建议

What to consider before installing/using this skill: - The skill runs a third‑party npm CLI (npx xhscover) which will download and execute code from the npm registry at runtime. This is expected for a CLI but means remote code runs on your machine — inspect the npm package and GitHub repo first. - Using the skill will send your API Key and the cover text you provide to api.xhscover.cn. If you include any sensitive information in the prompt, it will be transmitted. - The CLI will store your API Key locally (README notes ~/.xhscover). The skill metadata did not declare this config path or a required credential—treat that omission as a transparency gap. - Actions you can take: verify the npm package (npmjs page), review the GitHub repository code and issues, check publisher reputation, and consider creating a dedicated/minimal API key for this service. If you are uncomfortable, do not enable autonomous invocation or avoid installing the skill; instead run the CLI manually in a controlled environment to test it first. Confidence note: I judged this as 'suspicious' because the behavior is consistent with the skill's purpose but the metadata omissions (no declared API key or config path) and runtime execution of remote npm code warrant extra caution. Additional evidence that would change the verdict: an authoritative homepage and verified GitHub repo matching the npm package, explicit metadata listing the config path or credential, or a reproducible audit of the npm package contents showing no unexpected actions.

功能分析

Type: OpenClaw Skill Name: xhs-cover Version: 3.0.0 The skill utilizes a shell script (`xhs-cover.sh`) to execute an external NPM package via `npx`, which introduces supply chain risks by downloading and running remote code. It also handles API keys stored in the user's home directory (`~/.xhscover`) and transmits data to an external service (`api.xhscover.cn`). While these behaviors are documented and aligned with the stated purpose of generating images, the use of shell execution, credential management, and external network calls constitutes a high-risk attack surface as defined in the analysis criteria.

能力评估

ℹ Purpose & Capability

The name/description (generate Xiaohongshu-style covers) aligns with the runtime (npx xhscover → api.xhscover.cn). However, the skill does require an API key in practice (and stores it locally), but the skill metadata does not declare any required environment variable or primary credential. That omission is inconsistent with the stated need to provide an API Key.

⚠ Instruction Scope

SKILL.md explicitly instructs running npx xhscover commands that will send your cover text and API Key to api.xhscover.cn and may auto-register on first use. It also documents that the CLI will save the API Key under ~/.xhscover. The instructions do not read unrelated system files, but they do cause credential storage and transmission to a third‑party service — and the skill metadata did not declare the config path or credential requirement.

ℹ Install Mechanism

There is no install spec (instruction-only) and the included script simply execs 'npx xhscover'. Using npx will fetch and execute a package from the npm registry at runtime, which is normal for a CLI but means remote code will run on demand. The README and SKILL.md point to an npm package and GitHub repo, which helps validation but you should still inspect the npm package and repo before use.

⚠ Credentials

Functionally the CLI needs a single API Key (reasonable for the purpose), but requires.env and primaryEnv are empty in metadata. The skill will persist the API key to ~/.xhscover (not declared). The absence of declared credential/config requirements is a mismatch that reduces transparency and increases risk.

ℹ Persistence & Privilege

The skill is not always:true and does not request elevated platform privileges. It does, however, cause persistent storage of the API Key in the user's home directory (~/.xhscover) via the CLI. That persistence is within the skill's scope but should have been declared in the metadata (required config path).

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install xhs-cover
安装完成后，直接呼叫该 Skill 的名称或使用 /xhs-cover 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v3.0.0

改用 npx xhscover，支持终端内注册登录，移除手动 API Key 配置

v2.0.0

零外部依赖，内嵌 CLI 脚本，clone 即用。移除 mcporter 和 MCP 依赖。

v1.0.3

使用 mcporter ad-hoc 模式，无需预配置 mcporter.json，用户只需设置环境变量即可使用

v1.0.1

xhs-cover 1.0.1 - 明确声明了所需的依赖（mcporter 和 jq）。 - 新增 version 字段、requires、sendsDataTo 等标准元数据，提升兼容性和安全提示。 - 文档结构优化，增加数据流向、安全提示和 API Key 提醒。 - 删除冗余或重复内容，简化快速入门说明。 - 更新部分环境变量说明，更清晰直观。

v1.0.0

Initial release of xhs-cover. - Generate Xiaohongshu (小红书) style cover images via shell script or MCP protocol - Supports custom aspect ratios: 3:4 (vertical, default), 9:16, 1:1, 16:9 - Check credit balance and generation history directly from the script or mcporter - Easy setup with environment variables for API URL and key - Includes full usage instructions and helpful links to documentation and API

元数据

Slug xhs-cover

版本 3.0.0

许可证 MIT-0

累计安装 5

当前安装数 5

历史版本数 5

常见问题

Xhs Cover Skill 是什么？

生成小红书风格封面图片。使用场景：(1) 用户要求生成小红书封面 (2) 用户要求生成社交媒体封面图 (3) 用户为笔记/文章生成配图 (4) 用户询问 credit 余额或生成历史。首次使用会自动引导注册。它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1111 次。

如何安装 Xhs Cover Skill？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install xhs-cover」即可一键安装，无需额外配置。

Xhs Cover Skill 是免费的吗？

是的，Xhs Cover Skill 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Xhs Cover Skill 支持哪些平台？

Xhs Cover Skill 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Xhs Cover Skill？

由 xwchris（@xwchris）开发并维护，当前版本 v3.0.0。