← 返回 Skills 市场
801
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install xpr-creative
功能描述
Provides AI tools to generate and deliver creative content including rich markdown, PDFs, CSVs, AI-generated images, videos, web media, and GitHub repositories.
安全使用建议
Before installing, get answers to these specific questions from the skill author and take precautions: (1) Which environment variables does the skill actually require? The code uses PINATA_JWT and PINATA_GATEWAY and likely needs a GitHub token — these should be listed in the manifest and SKILL.md. (2) Understand where content is published: Pinata pins are effectively public on IPFS and create_github_repo makes public repos — do not allow the skill to upload private or sensitive data. (3) Limit token scope: if you provide a Pinata or GitHub token, restrict its permissions and use a throwaway/sandbox account when testing. (4) Ask for documentation on create_github_repo behavior (repo visibility, naming, and whether it includes credentials). (5) If you cannot validate the above, run the skill in a restricted/sandbox environment or decline to provide secrets. Finally, consider requesting the author to update skill.json and SKILL.md to explicitly declare required env vars and the privacy implications of IPFS and public repos before enabling autonomous use.
功能分析
Type: OpenClaw Skill
Name: xpr-creative
Version: 1.0.0
The skill is classified as suspicious due to several high-risk capabilities that, while potentially part of its stated purpose, introduce significant vulnerabilities. The `store_deliverable` tool allows downloading content from arbitrary `source_url`s, and the PDF generation process downloads images from URLs embedded in markdown, posing an SSRF (Server-Side Request Forgery) and resource exhaustion risk. Additionally, the `create_github_repo` tool can create public repositories with arbitrary file content, which could be exploited for data exfiltration if a compromised agent is tricked into uploading sensitive local files (e.g., environment variables, SSH keys) to a public GitHub repository. These are vulnerabilities that could be leveraged by prompt injection or other means, rather than direct malicious intent within the skill's code.
能力评估
Purpose & Capability
The declared purpose (generate deliverables, upload to IPFS, create GitHub repos) matches the code and instructions: it downloads images, builds PDFs, can upload JSON/binaries to Pinata, and can create public GitHub repos. However, the skill.json and SKILL.md declare no required environment variables or credentials even though the code uses PINATA_JWT (and the create_github_repo tool will need GitHub auth in practice). That undeclared credential requirement is an inconsistency to be resolved.
Instruction Scope
SKILL.md instructs the agent to generate images/videos and upload them to IPFS, embed web images into PDFs, and create public GitHub repos. Those steps are within the stated purpose. Points to watch: the instructions insist uploads happen (IPFS) and insist on delivering actual content (not just URLs), which means potentially large uploads and public publication of user data; the SKILL.md does not tell users that uploads go to Pinata (or require a Pinata token) or that repos will be public.
Install Mechanism
No external install or remote downloads are specified; this is an instruction-and-bundled-code skill so nothing is fetched at install time. The runtime performs network calls (fetch) but there is no risky install mechanism in the manifest.
Credentials
skill.json.requires.env is empty and SKILL.md lists no required credentials, yet the code calls process.env.PINATA_JWT and process.env.PINATA_GATEWAY (and will need GitHub credentials to create repos). PINATA_JWT is a powerful secret that allows pinning arbitrary content to Pinata (public IPFS pinning). Requesting such secrets is proportionate to IPFS uploads, but the omission from the manifest and documentation is a red flag. The skill may attempt to upload user content to a public IPFS gateway or create public repositories — both can expose sensitive data if used with broad-scoped tokens.
Persistence & Privilege
The skill does not request always: true and does not declare modifying other skills or system-wide config. It stores deliverables in an in-memory Map (no persistent disk writes in the provided code excerpt). Autonomous invocation is allowed (the platform default); combined with the credential issues above this increases blast radius, but autonomous invocation alone is expected.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xpr-creative - 安装完成后,直接呼叫该 Skill 的名称或使用
/xpr-creative触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
4 tools: AI image/video generation (Replicate), IPFS upload, PDF creation, GitHub repos
v0.2.11
- Expanded SKILL.md with full documentation of creative deliverable tools.
- Clarified usage for deliverables: Markdown, PDF (with image embedding), CSV, and media.
- Added instructions for AI-generated image and video workflow via evidence_uri.
- Included steps for handling external media and code repositories.
- Emphasized delivering actual content, not just links or descriptions.
元数据
常见问题
XPR Creative 是什么?
Provides AI tools to generate and deliver creative content including rich markdown, PDFs, CSVs, AI-generated images, videos, web media, and GitHub repositories. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 801 次。
如何安装 XPR Creative?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xpr-creative」即可一键安装,无需额外配置。
XPR Creative 是免费的吗?
是的,XPR Creative 完全免费(开源免费),可自由下载、安装和使用。
XPR Creative 支持哪些平台?
XPR Creative 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 XPR Creative?
由 paulgnz(@paulgnz)开发并维护,当前版本 v1.0.0。
推荐 Skills