ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill X Post Ai Image

v1.0.1

Generate an AI image via Gemini and post it to X (Twitter) using OAuth1. Supports text-only or text+image tweets.

0· 301·1 current·1 all-time
byZero2Ai@zero2ai-hub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description (Gemini image → post to X) match the included script and SKILL.md. Declared required binaries (uv, xurl) match what the script runs. However the registry metadata lists no required env vars or credentials even though the runtime needs X OAuth keys and a GEMINI_API_KEY, so the manifest is incomplete.
!
Instruction Scope
SKILL.md and the script require environment variables (GEMINI_API_KEY, X_CONSUMER_KEY, X_CONSUMER_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET) and instruct running a separate nano-banana-pro script; those env vars are not declared in the registry metadata. The script reads X_* creds at module import time (os.environ[...] without defaults), which will raise immediately if absent. The instructions also assume presence of another skill's script at a hard-coded path (/home/linuxbrew/.../nano-banana-pro/scripts/generate_image.py), which is outside this skill's bundle and could be missing or point to unexpected code.
Install Mechanism
There is no install spec (instruction-only), which keeps disk write risk low. But the Python script depends on packages (Pillow, requests_oauthlib) that are neither declared nor installed by the skill; runtime will fail unless the environment already has these. The reliance on an external skill's script path is brittle and raises supply-chain/availability concerns.
!
Credentials
The skill requires multiple sensitive credentials (X OAuth1 consumer/consumer_secret/access token/secret and GEMINI_API_KEY) to function, which are proportionate to the stated purpose. The problem is these required credentials are not declared in the registry metadata (required env vars: none / primary credential: none), increasing the chance a user will supply secrets in an unexpected way. The script also passes GEMINI_API_KEY into a subprocess environment and base64-encodes image data for upload (expected for Twitter), but lack of explicit declaration and documentation in the registry is a notable mismatch.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It runs as an on-demand command/script with no persistent presence declared.
What to consider before installing
This skill appears to do what it claims (generate a Gemini image and post it to X), but the package metadata is incomplete and brittle. Before installing or running it: (1) Do not paste secrets into your environment unless you trust the source — the script requires X OAuth1 keys and GEMINI_API_KEY but the registry did not declare them. (2) Verify and/or supply the nano-banana-pro generate_image.py it calls — the script defaults to a hard-coded path outside the bundle; inspect that file so you know what code will run. (3) Ensure Python dependencies (Pillow, requests_oauthlib) are installed in a controlled environment. (4) Prefer running this in an isolated/test environment first and confirm xurl and uv are the expected CLIs. If you need to proceed safely, ask the publisher to update the registry: declare required env vars, list Python dependencies, and avoid hard-coded paths or include the image-generation implementation instead of relying on another skill's file.

Like a lobster shell, security has layers — review code before you run it.

latestvk9745g5adxde8pzf7bdpc49ybh8208cw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsuv, xurl

SKILL.md

X Post with AI-Generated Image

Generate a Gemini AI image from a text prompt, compress it, and post it as a tweet — all in one command.

Prerequisites

  • xurl CLI (X/Twitter auth) — see xurl skill
  • GEMINI_API_KEY env var
  • nano-banana-pro skill installed (OpenClaw)
  • uv Python runner

Setup

export GEMINI_API_KEY="your-gemini-api-key"
export X_CONSUMER_KEY="..."
export X_CONSUMER_SECRET="..."
export X_ACCESS_TOKEN="..."
export X_ACCESS_TOKEN_SECRET="..."

Usage

# Post tweet with AI-generated image
python3 scripts/post_with_image.py \
  --text "Your tweet text here" \
  --prompt "AI image prompt — describe the visual"

# Text-only tweet
python3 scripts/post_with_image.py \
  --text "Your tweet text" \
  --no-image

How it works

  1. Calls Gemini image generation with prompt → PNG
  2. Compresses + resizes to 1200×675 JPEG (Twitter optimal)
  3. Uploads via Twitter media API (OAuth1)
  4. Posts tweet with media via xurl

Inputs

ParamDescription
--textTweet text (required)
--promptImage generation prompt (optional)
--no-imageSkip image, post text only

Output

Tweet posted; media ID and confirmation logged to stdout.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…