ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Xhs Cover Skill

v3.0.0

生成小红书风格封面图片。使用场景:(1) 用户要求生成小红书封面 (2) 用户要求生成社交媒体封面图 (3) 用户为笔记/文章生成配图 (4) 用户询问 credit 余额或生成历史。首次使用会自动引导注册。

1· 1.2k·2 current·2 all-time
by@xwchris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and runtime instructions all describe invoking the xhscover CLI to generate Xiaohongshu-style covers. Requiring npx (to run the npm CLI package) and calling api.xhscover.cn are coherent with that purpose.
Instruction Scope
SKILL.md directs the agent to run 'npx xhscover' commands (generate, balance, history, setup). It explicitly states the API key and cover text will be sent to api.xhscover.cn — this is within scope for a cloud-based image-generation CLI but is important privacy-relevant behavior the user should be aware of.
Install Mechanism
No install spec; skill is instruction-only and includes a small wrapper script that execs 'npx xhscover'. That is low-risk from the skill bundle perspective. Note: npx will fetch/execute code from the npm registry at runtime (normal for npm CLIs).
Credentials
The skill declares no required env vars and no unusual config paths. The README/SKILL.md indicate the CLI will register and store an API Key in ~/.xhscover and will transmit that key and user-provided text to the service — this is proportionate to the stated functionality but is sensitive and worth user attention.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges. It does not modify other skills or system-wide configs (aside from the CLI's own storage of an API Key, which is expected).
Assessment
This skill is coherent: it runs the xhscover npm CLI via npx and sends your API Key and the cover text to api.xhscover.cn for generation. Before installing or using it, confirm you trust the xhscover service and the npm package (review the package source on GitHub and npm). Be aware that: (1) the CLI will store an API Key locally (README says ~/.xhscover); (2) any text you provide will be transmitted to the remote service; (3) npx will fetch and execute code from npm at runtime, which can run arbitrary install/runtime scripts — review the npm package source or use an isolated environment if you have concerns. If the data you plan to send is sensitive, avoid using this skill or create a limited/test API key. If you want stronger assurance, inspect the upstream xhscover-cli repository code and the privacy policy of xhscover.cn before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk978m994g47qqehrwm37b5xz0184g1kj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments