Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tpt Generate Cover
v1.0.0Generate a TPT cover using the AI Studio DinoCover tool and save it locally with the book title as filename.
⭐ 0· 523·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (use AI Studio DinoCover to create a cover) aligns with the runtime steps (open DinoCover URL, upload reference images, read local TXT, fill fields, download output). However the skill requires use of a persisted browser profile ('geminibuild') with an active Google login and specific local paths (E:\AI\openclaw-tpt\...), yet the registry metadata lists no required config paths, env vars, or credentials — this mismatch is unexpected and should be declared.
Instruction Scope
SKILL.md instructs the agent to launch a browser with profile 'geminibuild', open a Google AI Studio URL, upload images from a local input folder, read the latest TXT file to extract title and content, and save a generated PNG to a specified output folder. Those file reads/writes and use of a logged-in browser session are within the feature's functional scope, but they involve access to local files and to a Google-authenticated browser profile (cookies/session tokens). The instructions explicitly forbid logging in or handling MFA, but they still rely on a pre-authenticated profile — this is sensitive and should be explicitly declared in the metadata and documentation.
Install Mechanism
No install spec or code is present; the skill is instruction-only. This minimizes supply-chain risk because no external binaries or archives are fetched by the skill itself.
Credentials
The skill requires access to a persisted Google login via a browser profile and to specific local filesystem paths, but the registry metadata lists no required environment variables, credentials, or config paths. Requesting access to an authenticated browser profile effectively grants access to Google account session tokens and possibly Drive data; such sensitive access should be explicitly declared and justified. Also the hard-coded Windows paths (E:\...) reduce portability and imply the agent will access those exact locations.
Persistence & Privilege
The skill is not marked always:true and does not request persistent installation or modify other skills. It operates per-invocation and requires human hand-off conditions for login/MFA/captchas, which reduces autonomous risk.
What to consider before installing
This skill will launch a browser profile named 'geminibuild' that must already be logged into Google, and it will read/write files in specific local folders (E:\AI\openclaw-tpt\...). The registry metadata does not declare those config paths or the need for a logged-in profile — that's an inconsistency. Before installing or running: (1) verify the geminibuild profile is dedicated and contains no sensitive personal or organizational data (use a throwaway or limited account if possible); (2) confirm the input/output paths are correct and contain only intended files; (3) run the skill in an isolated VM or dedicated workspace if you worry about exposing Google session cookies or Drive access; (4) ask the skill author to update metadata to list required config paths and to document precisely what the agent will access; and (5) if you cannot verify those things, treat the skill as untrusted and avoid exposing high-value accounts or data to it.Like a lobster shell, security has layers — review code before you run it.
latestvk97821sxzfp64kksgn2reyctb981qsq6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.