ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gemini Image Gen

v1.3.1

Generate and edit images via Google Gemini API. Supports Gemini native generation, Imagen 3, style presets, and batch generation with HTML gallery. Zero depe...

8· 4.7k·31 current·31 all-time
by김덕환@iisweetheartii
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim image generation and editing via Google Gemini/Imagen; the package requires python3 and GEMINI_API_KEY only, and the included script uses generativelanguage.googleapis.com endpoints to generate/edit images — this aligns with the stated purpose.
Instruction Scope
SKILL.md instructs setting GEMINI_API_KEY and running scripts/gen.py (or examples using subprocess). The instructions do not tell the agent to read unrelated files or leak data. HEARTBEAT.md and integration notes recommend periodically generating and optionally sharing images to social feeds — these are optional behaviors the user should be aware of (could cause external posting if combined with other skills).
Install Mechanism
There is no automated install that downloads arbitrary code; the repo contains a single Python script (scripts/gen.py) and doc files. No remote installers/URL downloads or archive extraction are present in the skill metadata. Running the included script will perform network calls to the declared API host.
Credentials
Only GEMINI_API_KEY is required and is used directly by the script to authenticate calls to generativelanguage.googleapis.com. The requested credential matches the skill's needs. Note: package docs mention that other complementary skills may reuse the same API key, which increases blast radius if the key is shared across skills.
Persistence & Privilege
always is false and the skill does not request special platform-wide persistence. The INSTALL.md suggests adding the key to shell profiles (user action) but the skill itself does not modify other skills or system configs.
Assessment
This skill appears to do what it says: a local Python script that calls Google Gemini/Imagen using GEMINI_API_KEY. Before installing/running: (1) review scripts/gen.py yourself (it runs HTTPS requests and writes files to a timestamped output directory under ~/Projects/tmp or ./tmp); (2) avoid pasting sensitive long-lived credentials into shared shell profiles if you use the same GEMINI_API_KEY across multiple skills—consider a dedicated API key with limited billing/quota; (3) be aware HEARTBEAT.md suggests periodic generation and 'sharing'—if you integrate this skill with social/posting skills, review those integrations so content or keys are not sent unintentionally; (4) ensure you trust the repository source before running the script (it performs network calls and will transmit any image passed to the edit feature to the API).

Like a lobster shell, security has layers — review code before you run it.

latestvk97dvkyn9gm0fmrmayvf0tdpzs818jbs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
Binspython3
EnvGEMINI_API_KEY
Primary envGEMINI_API_KEY

Comments