XHS Cover Generator
v1.0.0Generate Xiaohongshu (小红书) cover images with Chinese text overlays. Use when asked to create social media cover images, Xiaohongshu post images, or RED post...
⭐ 0· 54·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name/description match the included code and SKILL.md: it generates cover images, renders Chinese text with a Noto Sans CJK font, and can fetch base images from Pollinations.ai. One minor inconsistency: the skill metadata lists no required binaries, but SKILL.md and the script rely on curl and Python with Pillow (PIL). This is an omission in metadata rather than a functional mismatch.
Instruction Scope
Runtime instructions and the script stay within the stated purpose: creating images, downloading a font into /tmp, and optionally fetching an AI-generated base image from Pollinations.ai. The instructions do not ask the agent to read unrelated files, environment variables, or credentials.
Install Mechanism
There is no install spec (low-risk). The script performs runtime downloads: a font from a GitHub raw URL and images from image.pollinations.ai. Both are public endpoints; the font download is from GoogleFonts on GitHub (raw), which is an expected source. Downloads occur at runtime and are written to /tmp.
Credentials
The skill requests no environment variables or credentials. It does require network access to download the font and optionally to call Pollinations.ai, which is reasonable for the described functionality. The script does not access or exfiltrate secrets.
Persistence & Privilege
The skill does not request permanent/system-wide installation or 'always' privilege, and it does not modify other skills. It caches the font in the system temp directory (/tmp), which is normal for this use case.
Assessment
This skill appears to do what it says: generate Xiaohongshu cover images. Before installing or running it, consider: (1) ensure the agent environment has Python3 and Pillow and that curl is available (SKILL.md requires these, but the registry metadata omitted them); (2) the script downloads a Noto Sans CJK font from a GitHub raw URL and optionally sends your text prompt to Pollinations.ai — if your prompts contain sensitive information, they will be transmitted to an external service; (3) the script does not verify the font SHA256 (FONT_SHA256 is None), so if you are security-sensitive you may want to supply a local font file instead or add a hash check; (4) the script caches files in /tmp and writes the resultant JPEG to the requested output path — verify file paths before running. If any of these network calls or automatic downloads are unacceptable, review/modify the script to use a preinstalled font or a different image source.Like a lobster shell, security has layers — review code before you run it.
latestvk9703z16v9adtfy84s7517w0ed84c2bn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.