xmind
v0.1.1Generate and read XMind (.xmind) files via the published xmind-generator-mcp MCP server (npm), with a chat-first UX.
⭐ 0· 631·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the required binaries and runtime behavior: mcporter is used to call an MCP and npx is used to run the npm package xmind-generator-mcp@0.1.2. Requiring mcporter and npx is coherent for invoking a remote MCP service that produces .xmind files.
Instruction Scope
The SKILL.md stays within the stated purpose (construct JSON, write a temp file, call the MCP, return the .xmind to the user). It instructs writing JSON to /tmp and defaulting output to ~/Desktop, and to send generated files back via chat. Two issues: (1) it references an MCP-configured outputPath environment variable ('see below') but the skill declares no env vars—this is an internal inconsistency; (2) runtime use of 'npx -y' means code will be downloaded and executed from the npm registry at call time (supply‑chain/execution surface).
Install Mechanism
There is no install spec (instruction-only), but runtime execution relies on npx which will fetch and run xmind-generator-mcp@0.1.2 from the npm registry each time. This is expected for this functionality but is a moderate supply‑chain risk because arbitrary package code may run locally when invoked.
Credentials
The skill declares no required environment variables or credentials (which is reasonable). However the documentation references a MCP-configured outputPath environment variable without declaring it, and the MCP may honor environment variables not described here. Also the skill will read/write local paths (/tmp, ~/Desktop) and return files via chat—users should be aware that local files will be accessed and transmitted. The lack of declared upstream source/homepage for the npm package reduces transparency and increases risk.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not require persistent installation. It will create temporary JSON files and may write .xmind files to Desktop or the MCP's outputPath; this is expected for the stated functionality.
What to consider before installing
This skill appears to do what it says, but proceed cautiously. Key points to consider before installing/using:
- Runtime npm execution: The skill runs `npx -y xmind-generator-mcp@0.1.2`, which downloads and executes package code from the npm registry each time. That is expected for this use case but is a supply‑chain risk. Prefer to verify the package contents and publisher before allowing the agent to run it.
- No upstream/source info: The skill metadata lists no source repository or homepage. That makes it harder to audit the MCP package. Look up the npm package (xmind-generator-mcp@0.1.2) yourself and inspect its repository, maintainers, and recent changes.
- Implicit environment/use of env vars: The SKILL.md mentions an MCP-configured outputPath environment variable but the skill declares no env vars. Verify what outputPath the MCP will use in your environment so files are not written to unexpected locations.
- Local file access & chat attachments: The skill will write temp files (/tmp) and may save to ~/Desktop and then send the generated .xmind back in chat. If you have sensitive data on the system, be aware the package you run could read more of the filesystem if malicious.
- Mitigations: Run this in a sandboxed environment or container, inspect the npm package source, pin the package to a vetted version, or ask the publisher for a source repo before using. If you cannot verify the npm package or maintainers, treat this skill as higher risk.Like a lobster shell, security has layers — review code before you run it.
latestvk971kx3z5j3jwjmxfz1q7vzp2s826qta
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧠 Clawdis
Binsmcporter, npx