Image Generation (Ollama x/z-image-turbo · macOS only)
v1.0.0Génère une image en local via Ollama x/z-image-turbo sur macOS et l'envoie sur WhatsApp selon le prompt donné.
⭐ 0· 834·1 current·1 all-time
by@eric51
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and the code files align on using Ollama to generate images and sending them to WhatsApp, but the registry metadata claims no required binaries or env vars while runner.py clearly calls the 'ollama' CLI and the SKILL.md requires python3 and a TTY. The package omits declaring these required executables (ollama, python), which is an incoherence that could hide unmet runtime assumptions.
Instruction Scope
The runtime instructions (run runner.py with pty=true and then use an internal message tool to send the generated file) are narrowly scoped and plausible. However, the bundle also contains FastAPI-based endpoints (generate_image.py and whatsapp_integration.py) that are not referenced in SKILL.md. whatsapp_integration.py performs an external POST to https://api.whatsapp.com/send, which is a web endpoint (not the documented WhatsApp Business API) and could result in data being transmitted externally if those endpoints are run. These extra server endpoints widen the skill's effective behavior beyond the documented instruction-only flow.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded or extracted. That minimizes supply-chain risk. The remaining risk comes from included code files which, if executed by the agent, will run subprocesses and make network requests.
Credentials
The skill declares no required env vars or credentials, but generate_image.py supports OLLAMA_URL and OLLAMA_IMAGE_MODEL via environment variables (with safe defaults). More importantly, sending to WhatsApp normally requires credentials or a proper API; whatsapp_integration.py sends JSON to api.whatsapp.com without any auth, which is suspicious and inconsistent with a legitimate WhatsApp integration. Also SKILL.md hardcodes absolute agent-specific paths (/Users/openclaw/.openclaw/...), reducing portability and revealing host-path assumptions.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide configurations. It contains server code that could be run, but nothing in the metadata asks for persistent installation or elevated privileges.
What to consider before installing
This skill mostly does what its SKILL.md says (use Ollama to generate images and deliver them via a WhatsApp channel), but there are several red flags you should address before installing: 1) The package fails to declare required binaries (ollama and python3) — ensure these are present and expected. 2) The bundle contains FastAPI endpoints (generate_image.py and whatsapp_integration.py) that are not mentioned in the SKILL.md; review those files carefully and do not run them unless you understand and trust their network behavior. 3) whatsapp_integration.py posts to https://api.whatsapp.com/send without auth — that is not a proper WhatsApp Business API call and could leak data or simply fail; verify how you expect WhatsApp delivery to work and whether credentials or an approved gateway are required. 4) The SKILL.md uses hard-coded agent paths (/Users/openclaw/.openclaw/...), which may be correct for your environment but are brittle and should be reviewed. If you decide to proceed, run the skill in a restricted/sandboxed environment, verify 'ollama' is local and trusted, and remove or disable the unused FastAPI endpoints (or require explicit configuration and authentication) to avoid accidental external data transmission.Like a lobster shell, security has layers — review code before you run it.
latestvk9742qc3bb4et555df0tpedbas80tfvy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.