ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Re Blog Image

v1.1.2

Generate a 1600px-wide webp blog thumbnail image using the nano-img CLI. Use when the user provides a blog topic or blog name and wants a thumbnail image gen...

0· 127·0 current·0 all-time
byDishant Sharma@dishant0406

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for dishant0406/re-blog-image.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Re Blog Image" (dishant0406/re-blog-image) from ClawHub.
Skill page: https://clawhub.ai/dishant0406/re-blog-image
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install re-blog-image

ClawHub CLI

Package manager switcher

npx clawhub@latest install re-blog-image
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The declared metadata lists no required env vars, credentials, or config paths, yet the SKILL.md explicitly depends on an API key (NANO_IMAGE_API_KEY), a separate nano-img-cli skill, creates ~/blog-images, and updates ~/blog-meta/*.json. The skill should have declared the API key and the config paths it will touch; their absence is an incoherence.
!
Instruction Scope
The instructions tell the agent to echo and source ~/.zshrc to obtain NANO_IMAGE_API_KEY (accessing a user dotfile and revealing a secret), and to search/modify ~/blog-meta/*.json files. There are also direct contradictions: SKILL.md says 'never ask the user to add or set the API key manually' while references say to ask the user to export the key. These broaden the agent's file/secret access beyond what the metadata claims.
Install Mechanism
This is instruction-only (no install spec), which is lower surface-risk, but it instructs running `npm install -g nanobana` if nano-img is missing and to `openclaw skills install nano-img-cli`. Global npm installs and third-party skill installs are expected for this task but carry the usual risks of executing code from npm or an unvetted skill. No obscure download URLs are used.
!
Credentials
The skill requires access to NANO_IMAGE_API_KEY (a sensitive secret) but the registry metadata lists no required env vars or primary credential. Additionally, the SKILL.md instructs sourcing ~/.zshrc and echoing the key (which may expose the secret in logs). This is disproportionate and undocumented in the metadata. The contradictory guidance about asking the user to set the key adds to the concern.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. However, it mandates creating ~/blog-images and writing to ~/blog-meta/*.json — persistent modifications to the user's home. Writing/updating arbitrary JSON files without the metadata declaring config paths is a notable privilege but not an automatic blocker; it should be documented and consented to.
What to consider before installing
Before installing or running this skill: (1) Ask the author/maintainer to update the skill metadata to declare NANO_IMAGE_API_KEY and the ~/blog-meta path(s). (2) Verify why the skill insists on sourcing ~/.zshrc and echoing the API key — this can expose secrets; prefer a documented, explicit credential configuration. (3) Back up ~/blog-meta before first run; the skill will modify JSON files and requires write access. (4) Inspect the nano-img-cli skill (and any npm package it installs, e.g., nanobana) to ensure they are trusted. (5) Resolve the contradictory guidance in SKILL.md vs references (one says never ask user to set the key; the other suggests exporting it). If the maintainer cannot clarify these inconsistencies and justify the secret access/update behavior, treat the skill as high-risk and avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk971x2998bv559wgzgnmjqpw0d85bjsc
127downloads
0stars
6versions
Updated 5d ago
v1.1.2
MIT-0
Dishant Sharma@dishant0406
latest
Download

Blog Image

Use this skill to generate one blog thumbnail per run using the nano-img CLI. It uses the nano-img CLI from the nanobana npm package.

CRITICAL NON-NEGOTIABLE: this skill depends on the nano-img-cli skill. Before running any command, verify it is installed:

openclaw skills install nano-img-cli

If the command nano-img is not available after that, stop and report the error.

If the user did not provide a topic, ask for one before proceeding.

Inputs to infer

  • TOPIC: the subject of the blog post the image is for (e.g. "vector databases", "building a notes app in Rust")
  • Optional: --save-to path override (default: ~/blog-images/)
  • Optional: --prefix for the output filename

Prerequisite check

Before generating, run these checks in order:

1. Confirm nano-img is available:

nano-img --help

If this fails, run:

npm install -g nanobana

Then verify again. If still failing, stop and report.

2. Confirm NANO_IMAGE_API_KEY is set:

echo $NANO_IMAGE_API_KEY

If the output is empty, source ~/.zshrc first — the key is defined there:

source ~/.zshrc && echo $NANO_IMAGE_API_KEY

CRITICAL NON-NEGOTIABLE: never ask the user to add or set the API key manually. It is already in ~/.zshrc. Always source it before concluding the key is missing. If it is still empty after sourcing, report the exact output and stop.

Workflow

  1. Confirm the topic with the user or infer it from the blog name they provided.
  2. Create ~/blog-images/ if it does not exist.
  3. Run the generation command using this exact structure:
nano-img generate -w 1600 -f webp --save-to ~/blog-images \
  "1920x1080 thumbnail on topic \"{TOPIC}\" dont just use text use proper vectors resarch on web and make and all, add more vectors then just text (less text more vectors images and all)"

Replace {TOPIC} with the actual topic. Keep the rest of the prompt exactly as written. Do not paraphrase, shorten, or reword the prompt text. It is battle-tested.

  1. Confirm the output file was written to ~/blog-images/. Note the exact absolute path.
  2. Update the blog-meta JSON with the image path.
    • Look for a matching JSON file in ~/blog-meta/ whose blog_path value corresponds to the same blog.
    • If found, set thumbnail_path to the exact absolute path of the generated image file.
    • Write the updated JSON back to the same file. Do not change any other field.
    • If no matching JSON file is found, note it in the completion report but do not fail the run.
  3. Report the full output file path.

Quality bar

  • CRITICAL NON-NEGOTIABLE: always use -w 1600 -f webp. Never change these flags.
  • CRITICAL NON-NEGOTIABLE: always use --save-to ~/blog-images unless the user explicitly provides a different path.
  • CRITICAL NON-NEGOTIABLE: never modify the prompt text. Use it verbatim with only {TOPIC} substituted.
  • CRITICAL NON-NEGOTIABLE: do not skip the prerequisite check. If nano-img is missing, install it first.
  • CRITICAL NON-NEGOTIABLE: after a successful generation, always attempt to update the matching ~/blog-meta/*.json with thumbnail_path. Never skip this step.

Completion report

At the end, report:

  • Topic used
  • Full nano-img command run
  • Output file path
  • Whether the file exists at that path after generation
  • Which ~/blog-meta/*.json file was updated (or that no match was found)

Comments

Loading comments...