GlucoDNA 广告图生成器
PassAudited by ClawScan on May 11, 2026.
Overview
This skill appears to do what it says—generate a GlucoDNA ad image with Gemini—but it uses a Gemini API key, installs Python packages, sends ad content to Google, and should be used carefully for health-claim advertising.
Before installing, use a dedicated Gemini API key with limits, install dependencies in a virtual environment, and avoid adding private customer or business data to prompts. The script itself is small and purpose-aligned, but verify the health claims and testimonial permissions before publishing any generated ad.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your Gemini account quota or billing through the configured API key.
The script authenticates to Gemini using a local API key, after also attempting to read one from TOOLS.md. This is expected for Gemini image generation, but it is still a credential with billing/account authority.
GEMINI_API_KEY = GEMINI_API_KEY or os.environ.get("GEMINI_API_KEY")Use a dedicated Gemini key with quota limits, avoid storing broad secrets in shared files, and rotate the key if it may be exposed.
Ad prompts and any content added to them would be processed by Google Gemini rather than staying fully local.
The skill sends the downloaded product image and ad prompt to the Gemini provider API. This is central to the skill's purpose, but it is an external data flow.
client.models.generate_content(
model="gemini-3-pro-image-preview",
contents=[
types.Part.from_bytes(data=img_bytes, mime_type="image/png"),
PROMPT
]Do not add private customer data, order details, or confidential business information to the prompt unless you are comfortable sending it to the provider.
Installing dependencies may pull current package versions from the package registry, which could change over time.
The skill asks the user to install Python packages without pinned versions or a lockfile. The packages are purpose-aligned, but unpinned installs carry normal package supply-chain risk.
Python 包: `pip install google-genai requests`
Install in a virtual environment, consider pinning known-good versions, and use trusted package indexes.
Customer-derived health testimonials or claims could be reused in generated marketing materials without independent consent or accuracy checks.
The product knowledge file is based partly on customer-support conversations and voice transcription. It is static context rather than active memory, but it may be reused as advertising source material.
数据来源: Facebook Messenger 客服对话 (Jacky Lai) + hk3.com.my **构建方式:** 自动抓取 + 语音转文字 (Gemini 2.5 Flash)
Verify consent, anonymization, and factual support for any testimonial or health claim before publishing generated ads.
Generated ads may look medically authoritative and could be relied on by viewers if published.
The generated ad prompt includes health-improvement claims and an authority label. This is aligned with the ad-generation purpose, but it can affect user trust and may require substantiation.
[见证] "✅ 夜尿从3-4次降到0-1次" "✅ 尿泡明显减少" "✅ 肾脏指数好转" [底部] "016-7656000 Ms Lai(营养师)"
Have health, legal, or compliance reviewers validate claims and required disclaimers before using the image publicly.