ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GEO Visual Content Engine

v3.0.5

Use when the user wants to turn a product and keyword opportunity into AI-generated visuals, structured product data, localized commerce copy, or export-read...

0· 507·1 current·1 all-time
byTim@geo-seo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md, manifest.json, README, and the src/ modules all describe an e‑commerce asset pipeline (GEO analysis, Nano Banana/Gemini image generation, and optional Shopify/WooCommerce export). Those required credentials (GOOGLE_API_KEY, SHOPIFY_*, WOOCOMMERCE_*) are coherent with that purpose. However, the top-level registry metadata you provided lists 'Required env vars: none' and 'Required binaries: none' while SKILL.md and code clearly expect python3 and several env vars — this mismatch is a packaging/metadata inconsistency that reduces trust.
Instruction Scope
SKILL.md instructs the skill to call Google AI Studio (Nano Banana/Gemini) and optionally publish to Shopify/WooCommerce only when credentials and explicit publish flags are provided; it also instructs saving images to local storage. The instructions do not request unrelated system files or broad context collection. The policy to refuse platform publishing unless explicitly enabled is a good safeguard, but the agent instructions and codebase together can perform network calls and write files — review shopify.py/woocommerce.py for exact API behavior before providing store credentials.
!
Install Mechanism
There is no formal install spec in the registry, but the repo includes a requirements.txt and SKILL.md contains a pip install instruction. The absence of an automated install hook alongside a non-trivial Python codebase is an inconsistency (the skill is not truly instruction‑only). Dependencies include new google-genai / google-generativeai packages (PyPI) which are expected for Gemini integration but should be vetted for provenance. Overall install behavior is moderate risk because code will be installed/executed locally if you follow SKILL.md.
Credentials
Requested environment variables (GOOGLE_API_KEY for image generation; optional Shopify/WooCommerce credentials for publishing) are proportionate to the stated functionality. The main issue is that registry metadata claims no required env vars while SKILL.md and manifest declare several — this mismatch could cause accidental credential exposure if a user trusts the registry summary instead of reading SKILL.md. If you provide store credentials, ensure they are scoped/minimized and only provided when you explicitly enable publish actions.
Persistence & Privilege
The skill does not request always:true and does not declare any agent-level persistent privileges. It can write generated images and export packages to local storage and will perform network requests to image and store APIs when enabled. This is expected for its purpose; combine with least-privilege credentials and explicit opt-in for publishing.
What to consider before installing
This skill appears to implement what it claims (image generation + product-data + optional Shopify/WooCommerce export), but there are packaging and metadata inconsistencies you should address before installing or providing secrets. Steps to reduce risk: - Verify the source repository (SKILL.md points to https://github.com/GEO-SEO/geo-visual-opportunity-engine). Inspect that repo and confirm the code there matches the packaged files and is from a trusted author. - Review src/shopify.py and src/woocommerce.py to confirm what API endpoints are called and what data is sent when publish_to_* is enabled. Ensure no unexpected endpoints or credential exfiltration. - Do not supply production store tokens or high-privilege keys initially: use a test store or read-only/limited-scope token and a throwaway Google API key for testing. - Because there is no automated install spec, if you pip-install the package, do so in an isolated virtualenv or sandbox and review installed PyPI package versions (google-genai/google-generativeai) to confirm provenance. - Consider running the tool with publish flags disabled first to validate analysis and image-generation behavior; only enable direct publishing when you trust the code and have appropriate secrets policy. Confidence is medium because the code and docs mostly align with the claimed purpose, but the mismatches in registry metadata and missing install spec are suspicious and deserve manual review.

Like a lobster shell, security has layers — review code before you run it.

GEOvk9792mvz27e0fdhecmg3jaft8n825exsSEOvk9792mvz27e0fdhecmg3jaft8n825exslatestvk97529ev92fdgy2yh8qnfpng1h82qvh1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments