← 返回 Skills 市场
730
总下载
0
收藏
3
当前安装
2
版本数
在 OpenClaw 中安装
/install xmind-skill
功能描述
Generate and read XMind (.xmind) files via the published xmind-generator-mcp MCP server (npm), with a chat-first UX.
安全使用建议
This skill appears to do what it says, but proceed cautiously. Key points to consider before installing/using:
- Runtime npm execution: The skill runs `npx -y [email protected]`, which downloads and executes package code from the npm registry each time. That is expected for this use case but is a supply‑chain risk. Prefer to verify the package contents and publisher before allowing the agent to run it.
- No upstream/source info: The skill metadata lists no source repository or homepage. That makes it harder to audit the MCP package. Look up the npm package ([email protected]) yourself and inspect its repository, maintainers, and recent changes.
- Implicit environment/use of env vars: The SKILL.md mentions an MCP-configured outputPath environment variable but the skill declares no env vars. Verify what outputPath the MCP will use in your environment so files are not written to unexpected locations.
- Local file access & chat attachments: The skill will write temp files (/tmp) and may save to ~/Desktop and then send the generated .xmind back in chat. If you have sensitive data on the system, be aware the package you run could read more of the filesystem if malicious.
- Mitigations: Run this in a sandboxed environment or container, inspect the npm package source, pin the package to a vetted version, or ask the publisher for a source repo before using. If you cannot verify the npm package or maintainers, treat this skill as higher risk.
功能分析
Type: OpenClaw Skill
Name: xmind-skill
Version: 0.1.1
The skill bundle is designed to generate and read XMind files using a specified npm package (`[email protected]`) via `npx`. The `SKILL.md` provides clear instructions for the AI agent on how to interact with the MCP server, handle user input (language, filenames, content), and manage file operations (saving to `~/Desktop` or `/tmp`). There are no instructions for data exfiltration, persistence, unauthorized remote control, or any other malicious activities. The inclusion of filename sanitization rules is a positive security practice. While potential vulnerabilities could arise from the agent's implementation of user input sanitization when converting to JSON, the skill's instructions themselves do not exhibit malicious intent.
能力评估
Purpose & Capability
Name/description match the required binaries and runtime behavior: mcporter is used to call an MCP and npx is used to run the npm package [email protected]. Requiring mcporter and npx is coherent for invoking a remote MCP service that produces .xmind files.
Instruction Scope
The SKILL.md stays within the stated purpose (construct JSON, write a temp file, call the MCP, return the .xmind to the user). It instructs writing JSON to /tmp and defaulting output to ~/Desktop, and to send generated files back via chat. Two issues: (1) it references an MCP-configured outputPath environment variable ('see below') but the skill declares no env vars—this is an internal inconsistency; (2) runtime use of 'npx -y' means code will be downloaded and executed from the npm registry at call time (supply‑chain/execution surface).
Install Mechanism
There is no install spec (instruction-only), but runtime execution relies on npx which will fetch and run [email protected] from the npm registry each time. This is expected for this functionality but is a moderate supply‑chain risk because arbitrary package code may run locally when invoked.
Credentials
The skill declares no required environment variables or credentials (which is reasonable). However the documentation references a MCP-configured outputPath environment variable without declaring it, and the MCP may honor environment variables not described here. Also the skill will read/write local paths (/tmp, ~/Desktop) and return files via chat—users should be aware that local files will be accessed and transmitted. The lack of declared upstream source/homepage for the npm package reduces transparency and increases risk.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not require persistent installation. It will create temporary JSON files and may write .xmind files to Desktop or the MCP's outputPath; this is expected for the stated functionality.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xmind-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/xmind-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.1
Docs: translate SKILL.md to English
v0.1.0
Initial release: generate/read XMind via xmind-generator-mcp MCP server
元数据
常见问题
xmind 是什么?
Generate and read XMind (.xmind) files via the published xmind-generator-mcp MCP server (npm), with a chat-first UX. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 730 次。
如何安装 xmind?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xmind-skill」即可一键安装,无需额外配置。
xmind 是免费的吗?
是的,xmind 完全免费(开源免费),可自由下载、安装和使用。
xmind 支持哪些平台?
xmind 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 xmind?
由 Ben Zhang(@bangyizhang)开发并维护,当前版本 v0.1.1。
推荐 Skills