ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hana Image Gen MacOS

v1.0.0

MacOS Gemini image gen via OpenRouter for OpenClaw agents. Auto-wait, gen, send image.

0· 46·0 current·0 all-time
by@eardori

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for eardori/hana-image-gen-macos.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Hana Image Gen MacOS" (eardori/hana-image-gen-macos) from ClawHub.
Skill page: https://clawhub.ai/eardori/hana-image-gen-macos
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install hana-image-gen-macos

ClawHub CLI

Package manager switcher

npx clawhub@latest install hana-image-gen-macos
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to generate images via OpenRouter/Gemini, which legitimately requires an OPENROUTER_API_KEY — the included script uses that. However the registry metadata declares no required env vars while SKILL.md lists OPENROUTER_API_KEY and TELEGRAM_BOT_TOKEN. TELEGRAM_BOT_TOKEN is not used in the code, so its presence in SKILL.md is unexplained.
!
Instruction Scope
SKILL.md instructs the agent to run the script and then to read ../output.json with jq to extract the image path. The provided scripts/gen.py writes JSON to stdout (prints to stdout) and does not create ../output.json, so the instructions and code disagree and will fail as written. The SKILL.md also declares TELEGRAM_BOT_TOKEN required but the runtime steps do not reference or use it. The agent will download arbitrary image URLs returned by OpenRouter — expected for this purpose but worth noting as external network fetching and file writes to /tmp occur.
Install Mechanism
There is no install spec; this is instruction-plus-script only. No remote downloads or install-time archive extraction are present in the package, which is the lower-risk pattern for install mechanisms.
!
Credentials
The code legitimately requires OPENROUTER_API_KEY. TELEGRAM_BOT_TOKEN is listed in SKILL.md but not referenced anywhere in the code, and the registry metadata lists no required env vars — this mismatch is disproportionate and unclear. The script performs network calls and downloads images from URLs returned by OpenRouter; no other secrets are requested.
Persistence & Privilege
The skill does not request permanent/always presence and does not modify system or other skills' configs. It runs on demand and writes output files to /tmp only.
What to consider before installing
This skill appears to be trying to do what it says (generate images via OpenRouter) but contains several inconsistencies and bugs you should resolve before installing or running it with real secrets: - Do not provide credentials until fixed: OPENROUTER_API_KEY is required by the script; TELEGRAM_BOT_TOKEN is listed but unused — clarify whether the skill actually needs a Telegram token. The package metadata should declare required env vars correctly. - Fix the runtime mismatch: SKILL.md expects ../output.json but scripts/gen.py prints JSON to stdout and writes image files to /tmp. Either change SKILL.md to capture stdout into ../output.json or modify gen.py to write ../output.json. As-is, the workflow will fail. - Fix the code bug: scripts/gen.py references item.get(b64_json) (an undefined name) when constructing a data URL; that will raise an error if that branch runs. Review and correct that logic. - Review external fetch behavior: the script downloads arbitrary URLs returned by OpenRouter and writes them to /tmp. This is expected for an image generator but entails network fetches and writing data to disk — run in a sandbox and limit exposure if you have strict security requirements. - Audit OpenRouter usage: the script posts to https://openrouter.ai; confirm you trust that service and that the API key scope is limited. Consider rate limits and log handling. If you need this skill, ask the publisher to (1) update metadata to declare OPENROUTER_API_KEY, (2) remove or justify TELEGRAM_BOT_TOKEN, (3) correct SKILL.md to match gen.py behavior (or vice-versa), and (4) fix the b64_json bug. Until these issues are addressed, treat the skill as untrusted and run only in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bvw71hkf7gjgc2e82d1f8wx85jx3z
46downloads
0stars
1versions
Updated 2d ago
v1.0.0
MIT-0
@eardori
latest
Download

Hana Image Gen Pro (MacOS)

Agent Workflow

  1. message action=send text="⏳ Generating image for: $prompt"
  2. cd scripts && OPENROUTER_API_KEY=$OPENROUTER_API_KEY python3 gen.py "$prompt"
  3. IMAGE=$(cat ../output.json | jq -r .paths[0])
  4. message action=send media=$IMAGE caption="Generated: $prompt 😏" NO_REPLY.

Required Env

OPENROUTER_API_KEY, TELEGRAM_BOT_TOKEN (global .env)

Comments

Loading comments...