ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gemini Image CLI

v0.1.0

Generate and edit images with a bundled Gemini native image-generation CLI. Use when the user asks Codex to create images with Gemini, use Gemini image gener...

0· 22·0 current·0 all-time
by@pluiez
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (image generation/editing with a bundled Gemini CLI) matches the included script's behavior: the script constructs Gemini generateContent requests, accepts input images, and writes image outputs. However, the registry metadata declares no required environment variables or credentials while both SKILL.md and the script rely on several endpoint/key environment variables (GEMINI_LOCAL_ENDPOINT, GEMINI_LOCAL_API_KEY, GEMINI_GOOGLE_ENDPOINT, GEMINI_API_KEY). That mismatch is incoherent: a user installing this should be told what credentials/endpoints are required.
Instruction Scope
SKILL.md instructs the agent to run the bundled script and only to read references/behavior.md for troubleshooting or configuration decisions. The instructions do not direct the agent to read arbitrary unrelated files or transmit unrelated system data. The script legitimately reads input image files and saves outputs and raw JSON — behaviors consistent with an image-generation CLI.
Install Mechanism
There is no install spec and the repository contains a single bundled Bash script; no remote downloads or package installs are performed. This minimizes supply-chain risk compared with arbitrary network installs. The script will be written to disk as part of the skill bundle (it already exists in the package).
!
Credentials
The script and documentation rely on environment variables for endpoints and keys (GEMINI_LOCAL_ENDPOINT, GEMINI_LOCAL_API_KEY, GEMINI_GOOGLE_ENDPOINT, GEMINI_API_KEY) but the registry lists no required env vars or primary credential. The script contains a default placeholder local API key (sk-123456) which may be a seed value but resembles real API-key patterns. Requesting runtime access to a Google Gemini API key (GEMINI_API_KEY) is proportional to the stated purpose, but omitting this from declared requirements and having defaults that look like keys is an incoherence and could lead to accidental exposure of real keys if misconfigured.
Persistence & Privilege
The skill is not marked always:true and does not request elevated persistence or modifications to other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but is not combined here with other high-risk privileges.
What to consider before installing
This CLI script appears to implement Gemini image generation legitimately, but there are important inconsistencies and things to check before installing or running it: - The registry metadata lists no required environment variables, yet the script and documentation expect GEMINI_LOCAL_ENDPOINT, GEMINI_LOCAL_API_KEY, GEMINI_GOOGLE_ENDPOINT, and GEMINI_API_KEY. Ask the publisher to explicitly declare required env vars and which one is the primary credential. - The script may send your GEMINI_API_KEY to Google if it falls back to the google provider — avoid running it in untrusted runtimes or shells that already contain real keys in environment variables. Prefer using a local Gemini-compatible proxy bound to 127.0.0.1 for key isolation. - The script contains a placeholder default API key value (sk-123456). Confirm with the author that this is a harmless placeholder and not a hardcoded credential to a live account. - Review the full script yourself (or have someone you trust review it) before giving it network access: it performs HTTP requests with curl and writes files; ensure it does not call unexpected remote endpoints beyond the configured GEMINI endpoints. - If you plan to use this in a shared or production environment, run it in an isolated container, do not expose your real Google key to the runtime, and verify that the local proxy (if used) binds to localhost and does not forward credentials to external hosts. If the author can update the registry metadata to declare the required env vars and clarify the default-key behavior, that would resolve the primary incoherence and raise confidence that the skill’s footprint matches its description.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e9bpf2ra473xc1zqsgbxr098544nb
22downloads
0stars
1versions
Updated 6h ago
v0.1.0
MIT-0
@pluiez
latest
Download

Gemini Image CLI

Use ./scripts/gemini-image.sh for Gemini native image generation. Prefer this bundled script over writing one-off curl commands.

Workflow

  1. Run ./scripts/gemini-image.sh with the user's prompt and any requested options.
  2. Do not ask which endpoint to use for ordinary requests. The script auto-selects the provider: local Gemini-compatible proxy first, then Google fallback.
  3. Keep default settings for ordinary single-image generation: gemini-3.1-flash-image-preview, size 512, aspect 16:9.
  4. Use gemini-2.5-flash-image when latency matters more than latest image quality.
  5. Use gemini-3-pro-image-preview when the user needs stronger instruction following, text rendering, or professional-quality output.
  6. Confirm before multi-model batches, many retries, or other repeated calls that may consume extra quota.
  7. Read references/behavior.md only when explaining provider/security tradeoffs, choosing non-default models, configuring a local Gemini-compatible proxy, troubleshooting slow or failed requests, or modifying the CLI.

Common Commands

Generate one image:

./scripts/gemini-image.sh "A cute orange kitten sitting on a soft blanket"

Generate with an explicit output path or prefix. The script chooses the final extension from the returned image MIME type:

./scripts/gemini-image.sh "画两只小猫在打闹" --output ./out/kittens.png

Use a faster model:

./scripts/gemini-image.sh "画两只小猫在打闹" --model gemini-2.5-flash-image

Force Google official endpoint:

./scripts/gemini-image.sh "画两只小猫在打闹" --provider google

Force local proxy endpoint:

./scripts/gemini-image.sh "画两只小猫在打闹" --provider local

Use a larger output size:

./scripts/gemini-image.sh "A cinematic poster of two kittens" --size 1K --aspect 16:9

Use an input image for image-guided generation or editing:

./scripts/gemini-image.sh "Turn this cat photo into a watercolor illustration" --image cat.jpg

Output Contract

The script prints human-readable logs to stderr and machine-readable results to stdout.

Successful stdout lines:

image=<path>
raw_json=<path>
text=<path>
duration_seconds=<seconds>

text= appears only when --with-text is enabled.

Safety

Do not expose full Google Gemini API keys in conversation or source files. Prefer the local proxy mode when the runtime should not have access to the real Google key.

The script masks keys in curl logs and redacts input-image base64 from printed request bodies.

Do not enable retries automatically for ambiguous multi-request tasks. Retries can submit additional generation requests and may incur additional cost.

Comments

Loading comments...