ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Selfie

v1.2.1

AI agent self-portrait generator. Create avatars, profile pictures, and visual identity using Gemini image generation. Supports mood-based generation, season...

8· 3.1k·7 current·8 all-time
by김덕환@iisweetheartii
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (self-portrait/avatar generator) line up with required binary (python3) and the single required env var (GEMINI_API_KEY). The primary credential is the Gemini API key, which is exactly what a Gemini-based image generator needs.
Instruction Scope
SKILL.md examples and the included script stay within scope: they build image prompts, call the Gemini API, write PNGs and an HTML gallery, and offer optional integration suggestions. There are no instructions to read unrelated secrets or system files. HEARTBEAT.md suggests optional avatar updates (manual/integrated workflows) but there is no code that exfiltrates data or modifies other skills.
Install Mechanism
No install spec (instruction-only + a small Python script). The script uses only Python stdlib (urllib, pathlib, etc.). No downloads from untrusted URLs or package installs are present.
Credentials
Only GEMINI_API_KEY is required. No unrelated credentials are requested. Note: the script places the API key in the request URL query parameter when calling the Google endpoint (generativelanguage.googleapis.com), which is functional but less ideal than an Authorization header — this is an implementation detail, not an incoherence.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent system-wide privileges or alter other skills' configs. The SKILL.md includes a cron example that embeds the key in the crontab environment — care should be taken when storing keys in cron or world-readable files.
Assessment
This skill appears to do exactly what it says: generate selfies via the Gemini image API using your GEMINI_API_KEY. Before installing, consider: (1) Protect your GEMINI_API_KEY — do not commit it to public repos or place it in world-readable files; prefer a restricted API key with only the needed permissions. (2) The script sends your prompt/personality text to Google’s generativelanguage.googleapis.com endpoint, so avoid embedding sensitive personal data in the prompts. (3) The cron example shows placing the key in the crontab line — that can leak if other users can read your cron files; prefer using a secure environment variable method. (4) The script writes images to disk (default ~/Projects/tmp or ./tmp); ensure the output directory has appropriate permissions and free space. If these concerns are acceptable, the skill is coherent and reasonably safe to use.

Like a lobster shell, security has layers — review code before you run it.

latestvk9760esjqnfhspnn95rxfc08v18180ca

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤳 Clawdis
Binspython3
EnvGEMINI_API_KEY
Primary envGEMINI_API_KEY

Comments