Gemini TG Image Gen
v1.0.0Generate images via OpenRouter (google/gemini-2.5-flash-image) and send to Telegram. Use when user asks for AI-generated images in TG.
⭐ 1· 1.4k·3 current·3 all-time
byRigdenDjapo@drones277
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose is image generation via OpenRouter and sending to Telegram, which matches the code and instructions. However the registry metadata declares no required environment variables or primary credential, while SKILL.md and scripts/generate_image.py require OPENROUTER_API_KEY. That metadata mismatch is a meaningful incoherence (the skill will fail without the API key).
Instruction Scope
SKILL.md instructs the agent to run the bundled script which calls OpenRouter and then downloads whatever image URLs/data the service returns, saves them under /root/.openclaw/workspace/tmp, and sends the local file via the Telegram message tool. Allowing the agent to fetch arbitrary URLs from the model response can let it make outbound requests to attacker-controlled or internal hosts (SSRF / unexpected network I/O). The instructions also rely on an env var (OPENROUTER_API_KEY) that wasn't declared in metadata.
Install Mechanism
There is no install spec (instruction-only + bundled script), which is lower risk than arbitrary downloads. The script uses the Python requests library but the skill metadata doesn't declare that dependency; runtime will fail or behave unpredictably if requests isn't available.
Credentials
The code expects OPENROUTER_API_KEY in the environment, but the skill metadata lists no required env vars and no primary credential. That omission is an inconsistency and should be corrected. No other credentials are requested, which is proportionate, but the missing declaration reduces transparency.
Persistence & Privilege
The skill does not request always:true, does not alter other skills, and is user-invocable. It writes files only to its workspace path (/root/.openclaw/workspace/tmp) which is expected for a generator; no elevated persistence or cross-skill modification is requested.
What to consider before installing
This skill appears to implement what it claims, but there are important issues to consider before installing:
- Metadata mismatch: The skill will fail without OPENROUTER_API_KEY, but that env var is not declared in the skill metadata. Only set that API key if you trust the skill and the OpenRouter account.
- Network risk: The script downloads whatever URLs are returned by OpenRouter. If an attacker or an unexpected response supplies a URL, the agent will fetch it (possible SSRF or access to internal resources). Consider running this in a network-restricted sandbox or adding URL host validation/allowlist.
- Dependency note: The script requires Python and the requests library; the skill does not declare those requirements. Ensure your runtime provides them.
- Code issues: There's a bug in _extract_image_urls (uses an undefined b64_json variable) that may raise an exception; you may want to inspect/fix the script before use.
Recommendations:
- Ask the publisher to update the registry metadata to declare OPENROUTER_API_KEY as a required credential and list runtime dependencies.
- Prefer running the skill in an isolated environment (no access to internal networks) and/or modify the script to validate/whitelist image hosts and limit timeouts/response sizes.
- Review or test the script locally first. If you don't trust the source, avoid providing your OpenRouter API key.Like a lobster shell, security has layers — review code before you run it.
latestvk972satw69zbg4xzkbbjsyyx1580tc3t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.