ℹ
Purpose & Capability
The name/description (generate Xiaohongshu-style covers) aligns with the runtime (npx xhscover → api.xhscover.cn). However, the skill does require an API key in practice (and stores it locally), but the skill metadata does not declare any required environment variable or primary credential. That omission is inconsistent with the stated need to provide an API Key.
!
Instruction Scope
SKILL.md explicitly instructs running npx xhscover commands that will send your cover text and API Key to api.xhscover.cn and may auto-register on first use. It also documents that the CLI will save the API Key under ~/.xhscover. The instructions do not read unrelated system files, but they do cause credential storage and transmission to a third‑party service — and the skill metadata did not declare the config path or credential requirement.
ℹ
Install Mechanism
There is no install spec (instruction-only) and the included script simply execs 'npx xhscover'. Using npx will fetch and execute a package from the npm registry at runtime, which is normal for a CLI but means remote code will run on demand. The README and SKILL.md point to an npm package and GitHub repo, which helps validation but you should still inspect the npm package and repo before use.
!
Credentials
Functionally the CLI needs a single API Key (reasonable for the purpose), but requires.env and primaryEnv are empty in metadata. The skill will persist the API key to ~/.xhscover (not declared). The absence of declared credential/config requirements is a mismatch that reduces transparency and increases risk.
ℹ
Persistence & Privilege
The skill is not always:true and does not request elevated platform privileges. It does, however, cause persistent storage of the API Key in the user's home directory (~/.xhscover) via the CLI. That persistence is within the skill's scope but should have been declared in the metadata (required config path).
What to consider before installing
What to consider before installing/using this skill:
- The skill runs a third‑party npm CLI (npx xhscover) which will download and execute code from the npm registry at runtime. This is expected for a CLI but means remote code runs on your machine — inspect the npm package and GitHub repo first.
- Using the skill will send your API Key and the cover text you provide to api.xhscover.cn. If you include any sensitive information in the prompt, it will be transmitted.
- The CLI will store your API Key locally (README notes ~/.xhscover). The skill metadata did not declare this config path or a required credential—treat that omission as a transparency gap.
- Actions you can take: verify the npm package (npmjs page), review the GitHub repository code and issues, check publisher reputation, and consider creating a dedicated/minimal API key for this service. If you are uncomfortable, do not enable autonomous invocation or avoid installing the skill; instead run the CLI manually in a controlled environment to test it first.
Confidence note: I judged this as 'suspicious' because the behavior is consistent with the skill's purpose but the metadata omissions (no declared API key or config path) and runtime execution of remote npm code warrant extra caution. Additional evidence that would change the verdict: an authoritative homepage and verified GitHub repo matching the npm package, explicit metadata listing the config path or credential, or a reproducible audit of the npm package contents showing no unexpected actions.
