ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Poster Designer

v1.0.0

Create professional posters and visual designs using AI image generation. Supports event posters, product showcases, announcements, and social media graphics...

0· 104·0 current·0 all-time
byAndy Liang@andylikescodes

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for andylikescodes/poster-designer.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Poster Designer" (andylikescodes/poster-designer) from ClawHub.
Skill page: https://clawhub.ai/andylikescodes/poster-designer
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install poster-designer

ClawHub CLI

Package manager switcher

npx clawhub@latest install poster-designer
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code and docs: both scripts call the Gemini image generation API, offer templates, and compose text overlays. Required capability (GEMINI API access) is consistent with the stated purpose.
!
Instruction Scope
SKILL.md instructs users to set GEMINI_API_KEY and claims user content is not stored; the runtime code loads a .env file (path: scripts/../.env) and merges all key=value pairs into process.env if not already set, which can pull in unrelated secrets from a repo-level .env. The compose script constructs and execs an ImageMagick shell command that embeds user-provided text; user-supplied fields (title, subtitle, etc.) flow into shell commands without safe argument isolation, creating a command-injection risk.
Install Mechanism
No install spec; this is instruction+script-only. No external downloads or installers are declared, so installation risk is minimal. The scripts assume ImageMagick or a browser fallback (HTML), which is aligned with the task.
Credentials
The only declared secret is the Gemini API key (GEMINI_API_KEY), which is appropriate. However, the code loads an arbitrary .env file and imports all key/value pairs into process.env (not limited to GEMINI_API_KEY), which could unintentionally expose other secrets present on the host. The code also sends the API key as a query parameter in API requests (key=...), which may be logged by intermediaries; using Authorization: Bearer would be safer.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It will write generated outputs to disk (defaultOutputPath: /workspace/openclaw-data/exports and HTML files alongside inputs) which is normal for a poster generator, but you should be aware it creates files in the agent/workspace. No evidence it alters other skills or system-wide config.
What to consider before installing
This skill appears to implement what it claims (poster generation via Gemini) but has a couple of real implementation risks you should consider before installing or running it: - Command injection risk: compose-poster.js builds an ImageMagick command string that includes user-provided text and executes it with execSync. If malicious or poorly sanitized text is passed into title/subtitle/other fields, that could allow arbitrary shell commands to run. Ask the author to switch to child_process.execFile/spawn with argument arrays, or to explicitly sanitize/escape inputs safely. - .env loading risk: generate-poster.js automatically reads ../.env and imports every key into process.env. That can leak or accidentally use unrelated secrets stored in a repository-level .env. Keep other secrets out of that file, or modify the code to only load GEMINI_API_KEY or accept it exclusively from a secure environment store. - API key handling: the script places the API key in the request URL (?key=...), which can be logged by proxies. Prefer Authorization: Bearer headers to reduce accidental exposure. - Run in isolation: until these issues are addressed, run the skill in an isolated environment/container with minimal permissions and no extra secrets present in .env. Review the scripts yourself or request the upstream author to harden input handling and secret usage. If you cannot accept these risks, do not install/run the skill; if you proceed, at minimum provide GEMINI_API_KEY via a controlled environment variable (not a repo .env with other secrets), and avoid passing untrusted text to the CLI without sanitization.
scripts/compose-poster.js:325
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

ai-imagevk97amdshxmmx0t0we6wmr4d82s84whzydesignvk97amdshxmmx0t0we6wmr4d82s84whzylatestvk97amdshxmmx0t0we6wmr4d82s84whzymarketingvk97amdshxmmx0t0we6wmr4d82s84whzypostervk97amdshxmmx0t0we6wmr4d82s84whzy
104downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
Andy Liang@andylikescodes
ai-imagedesignlatestmarketingposter
Download

Poster Designer Skill

Create professional posters and visual designs using AI image generation.

Quick Start

Generate a poster:

poster create --type event --title "Summer Music Festival" --date "2026-07-15"

Capabilities

  • Event Posters — Concerts, conferences, meetups, parties
  • Product Showcases — E-commerce listings, feature highlights
  • Announcements — Launches, openings, special offers
  • Social Media — Instagram, Facebook, Twitter graphics

Usage Patterns

Interactive Mode

Simply describe what you want:

"Create a poster for my band's gig next Friday at the Blue Note"

The skill will ask clarifying questions and generate the poster.

Template Mode

Use predefined templates:

  • event — General event poster with date/time/location
  • concert — Music-focused with band name and setlist
  • product — Product showcase with features and pricing
  • announcement — News/launch announcement
  • sale — Promotional sale poster

Custom Mode

Provide detailed specifications:

"Create a minimalist poster, 1080x1920 (9:16), dark blue background, neon pink text, featuring a geometric guitar illustration"

Configuration

Set your Gemini API key:

export GEMINI_API_KEY="your-api-key"

Or create .env in the skill directory by copying .env.example:

cp .env.example .env
# Edit .env and add your API key

Security Note: Never commit your .env file or share your API key. Keep it in environment variables or secure secret storage.

Get your API key from: https://makersuite.google.com/app/apikey

Output Formats

  • PNG — Default high-quality raster output
  • With Text Overlay — Generated image with text composited
  • Raw + Composite — Both the base image and final poster

Design Principles

Typography

  • Keep text readable (minimum 24pt for important info)
  • Use 2-3 fonts maximum
  • Ensure high contrast between text and background

Composition

  • Follow the rule of thirds
  • Leave breathing room (don't overcrowd)
  • Use visual hierarchy (most important info largest)

Color

  • Use complementary or analogous color schemes
  • Ensure accessibility (WCAG AA contrast minimum)
  • Consider brand colors when provided

API Integration

The skill uses Gemini image generation API with native multimodal capabilities:

  • Model: gemini-3.1-flash-image-preview (configurable)
  • Supports aspect ratios: 1:1, 4:3, 16:9, 9:16, 3:4
  • Output sizes: 1K (~1024px), 2K (~2048px), 4K (~3840px)

See references/api-docs.md for detailed API documentation.

Templates

See references/templates.md for available templates and customization options.

Examples

Event Poster

User: "Create a poster for a tech conference on May 15th"

Skill asks:
- Event name?
- Venue?
- Speaker lineup (optional)?
- Style preference (modern/minimal/bold)?

Then generates poster with:
- Compelling headline
- Date/time/venue prominently displayed
- Speaker photos or tech-themed visuals
- QR code placeholder for tickets

Product Showcase

User: "Design a product poster for my new wireless headphones"

Skill asks:
- Product name?
- Key features?
- Price?
- Style/tone?

Then generates:
- Hero product image
- Feature callouts
- Price and CTA
- Brand-appropriate styling

Error Handling

If image generation fails:

  1. Retry with exponential backoff (up to 3 attempts)
  2. Provide detailed error message
  3. Offer to adjust prompt and retry

Security & Safety

  • All generated content follows Gemini safety guidelines
  • User content is not stored persistently
  • API keys are never logged or exposed
  • .env.example is provided as a template - copy to .env and add your key
  • Never commit .env files with real credentials
  • Keep API keys in environment variables or secure secret storage

Comments

Loading comments...