ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pattern

Automates jewellery product marketing using Google Vertex AI (Gemini and Imagen) and Google Drive.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 77 · 0 current installs · 0 all-time installs
by@itsmebasil
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
SKILL.md and the JSON manifest describe using Google Vertex AI Gemini for text and Imagen for images. The Python implementation, however, uses AsyncAnthropic (Claude) for prompt/content generation while still using vertexai for image generation and Google Drive for storage. The presence of an Anthropic API key in the code is not justified by the declared purpose and registry metadata (which claim no required env vars).
Instruction Scope
The runtime instructions (prompt generation → Imagen → Drive upload → caching) are coherent for a jewellery-marketing pipeline. However SKILL.md and registry omit operational details the code relies on (Redis cache, service-account based Drive access, and an LLM provider). The pipeline downloads arbitrary image URLs, hashes them, caches results for 30 days, and uploads outputs to Drive — all expected for the described workflow but not fully declared.
Install Mechanism
No install spec is provided (instruction-only skill), which limits install-surface risk. A runnable FastAPI worker is bundled as source, so deploying it will require installing dependencies and running code; the package doesn't declare how to install those dependencies, which is an operational omission but not an immediate install-time red flag.
!
Credentials
Registry/skill metadata say 'required env vars: none', but the code expects multiple environment variables: ANTHROPIC_API_KEY, GOOGLE_APPLICATION_CREDENTIALS (service account JSON path), REDIS_URL, GCP_PROJECT_ID, GCP_LOCATION, and optional DRIVE_FOLDER_ID. Requiring a Google service account (drive.file scope) is reasonable for Drive uploads, but requiring an Anthropic API key contradicts the stated use of Gemini and is disproportionate/unexplained.
Persistence & Privilege
The skill uses persistent state: a 4-field memory map (style, tone, background_preference, top_performing_caption) and a 30-day cache in Redis keyed by image hash. always is false and the skill does not modify other skills, but persisted caching and Drive uploads mean it will retain and publish user-provided image/text outputs — review retention, access controls, and Drive share settings before enabling.
Scan Findings in Context
[anthropic_api_usage] unexpected: Code invokes AsyncAnthropic and references a Claude model (claude-3-5-sonnet-20241022) while the SKILL.md and JSON manifest claim Gemini (Vertex) for text generation. This is an inconsistency: an external LLM provider is used but not documented in the skill's declared requirements.
[google_service_account_usage] expected: Code loads GOOGLE_APPLICATION_CREDENTIALS and uses googleapiclient to upload files to Drive. This aligns with the stated Drive storage purpose but requires careful scoping of the service account (drive.file scope).
[redis_usage] expected: Code connects to REDIS_URL for caching hashed images for 30 days. Caching is described in SKILL.md, but Redis connection details are not declared in the skill metadata.
What to consider before installing
Do not install or provide credentials until the developer clarifies and fixes inconsistencies. Ask the maintainer to: (1) confirm which LLM will be used (Gemini vs Anthropic) and update SKILL.md/manifest to declare the exact provider and required env vars; (2) explicitly list all required environment variables and minimum permissions (e.g., service account limited to drive.file only, and the exact DRIVE_FOLDER_ID usage); (3) explain the Redis dependency and whether a local/managed Redis is required; (4) ensure the service account has least-privilege (no broader GCP roles) and confirm whether uploaded files are shared publicly or remain private; (5) consider shortening cache TTL and documenting what personal data is retained; and (6) if you must supply keys, run the skill in an isolated environment and rotate credentials after testing. These steps reduce the risk of unintended data exposure caused by the undeclared Anthropic key and service-account usage.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9763z5p66wn6qj5x26nb3cpmd837vmbpatternvk9763z5p66wn6qj5x26nb3cpmd837vmb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Pattern Jewellery Automation Skill

Overview

This skill automates the creation of high-end marketing content for Pattern Jewellery products. It orchestrates a sophisticated multi-agent pipeline: securely ingesting raw product photos, generating lifestyle and studio images via Imagen 3, writing SEO-optimized copy via Gemini 1.5 Pro, and systematically organizing the final assets in Google Drive.

📥 Input Schema

The skill expects a trigger payload with the following fields:

  • product_image (String): URL or base64 string of the raw product photograph.
  • product_details (Object):
    • name: Product title (e.g. "Diamond Blue Sapphire Ring")
    • sku: Unique identifier (e.g. "R4389")
    • category: Organization category (e.g. "rings")
    • material: Composition (e.g. "18K white gold, 0.32ct diamond")
    • price_now: Current retail price (e.g. 4455)
    • description: Core design breakdown.

📤 Output Schema

  • model_image_url: Link to the generated lifestyle model image.
  • product_image_url: Link to the generated product-only image.
  • caption: Formatted Instagram caption highlighting the luxury aesthetic.
  • hashtags: Array of 20 optimized tags.
  • drive_link: Public/Internal Google Drive folder URL hosting all generated assets.

⚙️ Workflow Execution Steps

1. Vision & Prompt Generation (Gemini 1.5 Pro)

The system visually analyzes the product_image alongside the product_details to determine design intricacy, materials, and aesthetic quality. It then outputs two strictly constrained prompts:

  • Model Prompt (Max 120 Tokens): A lifestyle photograph prompt targeting the Gulf luxury market. It details an elegant model wearing the piece in an upscale interior (e.g., modern Dubai), with specific studio lighting and bokeh settings.
  • Product Prompt (Max 120 Tokens): A premium product-only photography prompt placing the piece on luxury backgrounds (e.g., white Carrara marble, deep navy velvet) equipped with three-point studio lighting and macro lens specs.

2. Parallel Image Generation (Imagen 3)

Using Google Vertex AI, this step dispatches parallel requests:

  • Generates the model_image (1 sample, ultra quality, 4:5 aspect ratio, adult generation allowed).
  • Generates the product_image (1 sample, ultra quality, 1:1 aspect ratio, tack-sharp).

3. Parallel Content Generation (Gemini 1.5 Pro)

Concurrently with the image rendering, the LLM drafts an engaging Instagram caption matching Pattern Jewellery's aspirational and traditional-modern fusion tone. It seamlessly integrates the price point and structural details, returning the copy alongside a 20-tag hashtag package.

4. Storage & Compilation (Google Drive)

All final image bytes (.jpg) and text output (.txt) are piped into the Google Drive API. They are systematically uploaded into a structured directory constraint: /Pattern_Jewellery/{category}/{sku}/.

🧠 Memory Rules & State Management

This skill utilizes a persistent, 4-field memory map to iteratively improve generation over time based on user feedback. The core keys are:

  • style: Default is "editorial"
  • tone: Default is "aspirational-luxury"
  • background_preference: Default is "white-marble"
  • top_performing_caption: Cached high-performing copy for tone-matching. These variables dynamically inject into the prompt generation templates (Step 1).

⚡ Caching Protocol

To minimize unnecessary GPU execution costs:

  1. Incoming images are hashed (SHA-256 or pHash).
  2. Lookups occur against a Redis/Local cache mapping.
  3. If the exact same image and metadata payload are received within the TTL window (30 days), the pipeline bypasses Gemini/Imagen entirely and immediately returns the cached Google Drive URL.

📂 Bundled Files

  • jewellery_openclaw_skill.json: The core JSON pipeline graph mapped to OpenCLAW UI.
  • jewellery_openclaw_skill.py: Background FastAPI worker capable of executing the pipeline outside of OpenCLAW.
  • pattern_jewellery_openclaw_system.html: Front-end architectural diagram and design blueprint.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…