Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Generate Image
v1.0.0Generate images using the generate-image CLI. Use when creating images, product photos, starting frames, or editing images with Gemini models (gemini-2.5-fla...
⭐ 0· 18·0 current·0 all-time
byHung Quoc To@quochungto
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, and CLI usage all describe Gemini-based image generation and editing and the provided model docs line up with that purpose. However, the skill provides no concrete install or runtime mechanism for the referenced 'generate-image' CLI and the repository/homepage are opaque; the SKILL.md lists skillmp and GitHub URLs but there is no install spec and the source is 'unknown'. This mismatch (claiming a CLI that must perform API calls but not telling how it is provided or authenticated) is unexpected.
Instruction Scope
The runtime instructions are narrowly focused: they describe using a CLI to call Gemini models, take reference images from local paths, and write PNG outputs. They do not instruct the agent to read unrelated system files or to exfiltrate arbitrary data. The docs do mention Google Search grounding (model-level tooling) which implies network access to external services for grounding.
Install Mechanism
This is an instruction-only skill with no install spec or code files (lowest disk-write risk). However, the SKILL.md assumes the existence of a 'generate-image' CLI and lists external URLs (skillsmp and a GitHub repo) without providing an install method. That means the runtime depends on an external binary that may not exist in the environment — a potential operational gap and a place where an agent or user may be prompted to fetch/execute code from an external source.
Credentials
No environment variables, credentials, or config paths are declared, yet the skill expects to call Google/Gemini provider APIs. Realistic usage of Gemini/Google APIs typically requires authentication (API keys, OAuth, or platform-provided credentials). The SKILL.md's claim of 'Free / No card needed' is inconsistent with calling paid provider APIs. Also, reference images supplied by users would be sent to whatever backend the CLI uses; lack of declared endpoints or auth raises privacy and exfiltration concerns.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not declare modifying agent-wide settings. No install-time persistence mechanism is included, so there is no elevated privilege request in this dimension.
What to consider before installing
Before installing or using this skill, ask the publisher these questions: (1) Where does the 'generate-image' CLI come from and how do I install it? (ask for a trusted package/source or an install script); (2) How does the CLI authenticate to Gemini/Google (what env vars or credentials are required)? If it uses an external hosted backend, ask what endpoint images and prompts are sent to, retention policy, and who can access them; (3) Why does the skill claim 'Free / No card needed' if it calls provider APIs — is processing happening on a paid hosted service?; (4) Verify the GitHub repo and the skillsmp link before running any downloads; (5) Do not upload sensitive images (IDs, passports, proprietary designs) until you confirm the data flow and privacy. If the publisher cannot clearly explain install/auth and data handling, treat the skill as risky.Like a lobster shell, security has layers — review code before you run it.
latestvk975r6v6bmhhfc0npdf8pdx5xn84a6x1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.