Tpt Generate Cover
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: tpt-generate-cover Version: 1.0.0 This skill involves significant capabilities, including browser automation to interact with a Google AI Studio tool, uploading local files, and downloading generated content. It also performs local file system operations (reading input TXT/PNGs from `E:\AI\openclaw-tpt\input\` and writing output PNGs to `E:\AI\openclaw-tpt\output\COVER\`). While `SKILL.MD` includes explicit safety boundaries, the use of user-provided input (TITLE from the TXT file) for filename generation without explicit sanitization presents a path traversal vulnerability. The combination of browser control and file system access, coupled with the prompt-driven nature of the AI agent, creates a substantial attack surface for potential prompt injection to override safety instructions or exploit file system vulnerabilities, classifying it as suspicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may act through whatever Google account is logged into that browser profile; mistakes or overreach could expose or affect account resources beyond the cover-generation task.
The workflow asks the agent to operate with an already-authenticated Google browser session. The supplied registry metadata lists no primary credential, so this sensitive session dependency is under-declared.
This skill uses browser profile `geminibuild`, which must already have a persisted Google login session.
Declare the Google session/profile requirement clearly, use a dedicated restricted Google account or browser profile, and require explicit user approval before using that session.
During a run, the agent can interact with the external web app, upload the selected local files, and download the generated image.
The skill delegates browser automation and file transfer to the agent. This is central to the stated purpose and includes stop conditions, but it is still a meaningful capability users should notice.
Launch browser using profile `geminibuild`... Upload all reference images... Click "Generate Cover"... Download generated image.
Use the skill only for the intended workflow, keep the input and output folders dedicated, and verify the files before invoking it.
Story text and reference cover images placed in the configured input folders may be uploaded to the AI Studio app/provider.
The skill sends local reference images and story text to a Google AI Studio app. This is disclosed and purpose-aligned, but users should understand that local creative content leaves the local machine.
Tool URL https://aistudio.google.com/apps/drive/... Upload all reference images... Fill STORY CONTEXT field.
Only place intended, non-sensitive files in the input folders and review the AI Studio app/provider’s data handling before use.