Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ad-Ready
v1.0.2Generate advertising images automatically from a product URL + brand profile. ✅ USE WHEN: - User provides a product URL (e-commerce link) - Want automated product scraping + image generation - Have a brand profile to apply (70+ brands available) - Need funnel-stage targeting (awareness/consideration/conversion) - Want AI to auto-select model, scene, lighting based on brand ❌ DON'T USE WHEN: - User provides local product image file → use morpheus-fashion-design - Don't need a person in the image → use nano-banana-pro - Want manual control over model, scene, packs → use morpheus-fashion-design - Already have hero image, need variations → use multishot-ugc - Need video output → use veed-ugc after image generation INPUT: Product URL + brand name (optional) + funnel stage (optional) OUTPUT: PNG advertising image with product + model
⭐ 3· 2.5k·6 current·6 all-time
byPaul de Lavallaz@pauldelavallaz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to produce advertising images from a product URL + brand profile — that aligns with the included prompts and pipeline. However, the SKILL.md explicitly instructs the agent to pick talent/model files from a local path (~/clawd/models-catalog/...), to deploy ComfyUI nodes on ComfyDeploy, and to call image backends (Nano Banana Pro / Imagen 3). The manifest declares no required config paths, no environment variables, and no credentials. Requiring local model assets and third‑party image/compute services is plausible for the feature, but the lack of declared config/credential requirements is incoherent.
Instruction Scope
The SKILL.md tells the agent to scrape product pages (download images, extract text), analyze optional reference images, and enforce 'exact' replication of talent poses/facial features. It also references an explicit local filesystem path for model/talent images and uses placeholders like {baseDir}. Those instructions go beyond a simple 'call an API' flow and will require reading local files and contacting external services. The requirement to replicate a person’s face/pose exactly raises privacy/likeness and copyright/ethics concerns (possible deepfake/copyright risk).
Install Mechanism
There is no install spec (instruction-only), which reduces installer risk. However a non-trivial code file (scripts/generate.py, ~23 KB) is included in the bundle — the repo link is visible in SKILL.md. Because the skill contains executable script(s) but no declared install or runtime permissions, it's unclear how and when those files are executed and what network or filesystem operations they perform. Reviewing generate.py is recommended before enabling.
Credentials
The manifest declares no required env vars or config paths, yet the instructions reference external services (ComfyDeploy, Nano Banana Pro / Imagen 3) that typically need API keys, and a local models catalog path. This mismatch (no declared credentials but clear dependency on third-party services and local assets) is disproportionate and inconsistent. The agent would likely need access to local user files and external service credentials to function fully.
Persistence & Privilege
The skill is not always-enabled and defaults to user-invocable/autonomous invocation allowed (platform default). It does not request persistent 'always' presence. Still, the runtime instructions expect access to the user's home path and potentially call external services; that access is significant and should be considered before granting the skill autonomy.
Scan Findings in Context
[no_regex_findings] expected: The static regex scanner reported no findings. That does not remove the flagged incoherences: the SKILL.md and bundled script(s) still reference local file paths and external services but the manifest declares no credentials/configs.
What to consider before installing
Key things to check before installing or enabling this skill:
- Credentials & endpoints: The instructions name ComfyDeploy, Nano Banana Pro, and Imagen 3 but the skill declares no API keys or config paths. Ask the publisher which credentials are needed and where they will be stored. Do not provide sensitive keys until you verify the code.
- Local file access: SKILL.md refers to a local models catalog (~/clawd/models-catalog/...). Confirm whether the skill will read from your filesystem and whether that's necessary. If you do not want it to access home directories, decline or sandbox the skill.
- Review the included code: There's a scripts/generate.py bundled with the skill. Inspect it (or have someone audit it) to confirm it does only the expected scraping, prompt assembly, and calls to safe endpoints. Look for hard-coded external endpoints, telemetry/exfil calls, or behavior that uploads local files to third-party servers.
- Likeness, copyright & ethics: Prompts demand exact replication of talent faces/poses. Ensure you have rights/consent to use any real-person images; this capability can enable creation of images that impersonate people — be cautious with legal and ethical risks.
- Sandbox test: If you proceed, run the skill in an isolated environment with limited network and filesystem permissions first. Provide only non-sensitive credentials and use test accounts for any third-party image backends.
- Ask the publisher for clarifications: Request an explicit list of required environment variables, required config paths, which external services are used and how/where credentials are stored, and link to the upstream repository or license. The SKILL.md references a GitHub repo — verify that repository and its trustworthiness.
Because the behavior is plausible for an ad-generator but the manifest and instructions disagree about required resources and access, treat this skill as suspicious until you confirm the missing details and audit the bundled script(s).Like a lobster shell, security has layers — review code before you run it.
latestvk974kpycchh1191r7jbtd3y9z1811cxq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.