ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

xiaohongshu card generator

当用户提及渲染 Markdown/文本 为小红书风格卡片 ,当用户提及"生成小红书卡片"、"md 转图片"、"制作卡片"、"小红书图文" .

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 29 · 0 current installs · 0 all-time installs
by@tangyijun
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and CLI: the repo contains Markdown→HTML→paginate→Playwright→PNG pipeline, 24 templates, and CLI commands (render/templates/doctor). No unrelated credentials, binaries, or network-only services are required for the core functionality.
Instruction Scope
SKILL.md only instructs local install and running the provided CLI. It asks the agent to request user confirmation for template and output directory (reasonable). One caution: an optional mode (--wechat-mode) enables fetching remote images and in that case the tool will fetch external image URLs and embed them as data URIs; this is explicit in the code and controlled by a CLI flag (not enabled by default).
Install Mechanism
No platform install spec in registry, but included scripts/setup.sh runs npm install/ci and invokes Playwright to download Chromium. This is expected for a Node+Playwright tool but does download many npm packages and a browser binary (moderate risk if running untrusted code).
Credentials
The skill requests no environment variables or credentials. File access is limited to reading the user-specified input Markdown and writing output files/directories (as a renderer should).
Persistence & Privilege
Skill is not marked always:true, does not modify other skills or system-wide agent configs. It runs locally and writes its own output/report files only.
Scan Findings in Context
[base64-block] unexpected: Scanner flagged a 'base64-block' pattern in SKILL.md content. I did not find obvious embedded large base64 blocks in the shown SKILL.md; templates or assets could contain embedded data URIs, but embedding large base64 blobs in SKILL.md would be unexpected. Treat this as a possibly false-positive prompt-injection signal or as something to inspect in the SKILL.md/assets before running.
Assessment
This skill appears to do what it claims: convert local Markdown/MDX into themed PNG cards using Playwright. Before installing or running it: (1) review assets/templates for any embedded or unexpected data (base64 images), (2) run in a sandbox or VM the first time because setup.sh runs npm ci and Playwright will download packages and a Chromium binary, (3) prefer 'doctor' first to validate templates and Playwright, (4) note that remote image fetching (embedding external images) happens only when you enable --wechat-mode, so avoid that flag if you don't want the tool to make outbound HTTP requests, and (5) inspect package.json/package-lock.json if you need assurance about third-party dependencies. If you want extra caution, audit the code (already included) or run npm install with network monitoring / offline lockfile verification.
scripts/xhs-card.cjs:8
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97ckv7nmegjzxgna805ac1tk9834f83

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

XHS Card Generator

本地 Markdown/MDX 转小红书卡片图生成器。支持 24 种模板、light/dark 模式、智能分页。 不适用:通用图片编辑、截图、PDF 处理、视频制作。

快速开始

# 首次安装(安装依赖 + Playwright chromium)
bash scripts/setup.sh

# 环境检查
node scripts/xhs-card.cjs doctor

# 列出所有模板
node scripts/xhs-card.cjs templates list

渲染卡片

node scripts/xhs-card.cjs render ./article.md \
  --theme xiaohongshu --mode light --split auto \
  --size 440x586 --scale 4 --pager --output ./output

CLI 参数

参数默认值说明
--themexiaohongshu模板 ID,见下方列表
--modelightlight/dark(不支持时自动回退 light)
--splitautoauto=智能分页,hr=按水平线分页,none=不分页
--size440x586卡片尺寸(宽x高)
--scale4输出图片倍率
--pager / --no-pagerpager显示/隐藏页码
--mdx-modefalse启用 MDX 解析
--output./output输出目录
--max-pages80分页上限

24 个内置模板

apple-notes xiaohongshu instagram dreamy nature minimalist notebook coil-notebook business typewriter watercolor fairytale japanese-magazine traditional-chinese art-deco pop-art cyberpunk darktech glassmorphism warm meadow-dawn minimal bytedance alibaba

完整模板介绍见 references/templates.md

执行步骤

  1. 查看用户提供的文案,如果不是 md 格式,请咨询用户是否修改符合要求的 md 格式或者重新提供.
  2. 根据用户的模板内容,对文案的模板进行建议,并且咨询用户确定模板.
  3. 在执行前,需要咨询用户输出目录,或者根据用户上下文或默认行为进行建议,并且要求用户确定.
  4. 执行过程中出现任何阻塞性问题,及时反馈.
  5. 完成执行后,向用户明确说明.

模板选择建议

根据用户文案类型做出笔记模板建议, 并且咨询用户确定需要的模板

内容类型推荐模板
知识笔记apple-notes, notebook, coil-notebook
生活方式xiaohongshu, warm, meadow-dawn
时尚穿搭instagram, japanese-magazine
科技数码minimalist, cyberpunk, darktech
文艺情感typewriter, watercolor, dreamy
商业职场business, bytedance, alibaba

调试选项

# 导出中间产物用于调试
node scripts/xhs-card.cjs render ./article.md \
  --dump-preview-html ./debug/preview.html \
  --dump-structured-html ./debug/structured.html \
  --dump-pagination-json ./debug/pagination.json

执行后输出

每次渲染完成后,向用户明确说明:

  1. 输出目录和关键图片路径
  2. totalPages(总页数)、是否回退主题模式、是否触发告警
  3. 若失败:失败阶段(解析/结构化/分页/渲染)和下一步建议

架构

渲染管线:Markdown → HTML → 结构化 → 分页 → PNG

核心模块位于 scripts/src/core/

  • markdown.ts - Markdown/MDX 转 HTML
  • structure.ts - HTML 后处理
  • paginate.ts - 智能分页
  • render.ts - Playwright PNG 导出
  • themes.ts - 主题加载与验证

完整 CLI 参考见 references/cli-reference.md

Files

44 total
Select a file
Select a file to preview.

Comments

Loading comments…