ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent-first Marketing Image Generation

v0.3.0

Generates and refines image prompts, estimates costs, and produces business-ready images with predictable pricing for agent workflows via Rynjer API.

0· 147·0 current·0 all-time
by@antipas
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (agent-first marketing image generation) matches the code and SKILL.md: prompt rewrite, cost estimate, generate, and poll are implemented. The runtime routes models and applies templates consistent with the marketing use cases. However, the package registry metadata declares no required env vars/credentials while the README/IMPLEMENTATION.md and runtime clearly support a live mode that needs RYNJER_USE_LIVE, RYNJER_BASE_URL and RYNJER_ACCESS_TOKEN (or an agent-created ryn_agent_v1_... key). That omission is an inconsistency to be aware of.
Instruction Scope
SKILL.md and code limit operations to prompt rewriting, local template lookup, cost estimation, generation requests, and polling the Rynjer API. The IMPLEMENTATION.md documents an agent registration/key-create flow (Ed25519 keypair generation and owner bind via UI) which is an auth onboarding step rather than hidden behavior; it may require out-of-band owner interaction. The instructions do not ask the agent to read unrelated host files or system secrets.
Install Mechanism
This is essentially an instruction-only skill with a small mock runtime JS file included. There is no install spec, no downloads, and nothing that writes executables or pulls remote archives — low install risk.
!
Credentials
The declared requirements list no environment variables or primary credential, but the runtime and documentation require (for live mode) RYNJER_USE_LIVE, RYNJER_BASE_URL, and RYNJER_ACCESS_TOKEN (or an agent-created API key). That mismatch is problematic because a user may install without realizing live-mode network calls will use an access token if provided. The number and type of env vars requested by the code (one bearer token and a base URL toggle) are proportionate to the purpose, but they should be declared up-front and the skill should clearly require minimal scopes for live usage.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system configs. It supports autonomous invocation by default (platform normal), which combined with live API access increases blast radius only if you enable RYNJER_ACCESS_TOKEN — a normal tradeoff for networked skills.
What to consider before installing
This package implements the advertised image-generation flow and has a safe-looking mock mode, but there are important mismatches to review before enabling live mode: 1) The manifest declares no required env vars but the runtime/README require RYNJER_USE_LIVE, RYNJER_BASE_URL, and RYNJER_ACCESS_TOKEN for live operation — expect network calls to the default BASE_URL (https://rynjer.com) if you set live mode. 2) The IMPLEMENTATION.md describes an agent registration / owner-bind flow that issues a ryn_agent_v1_... key; understand and control who performs the owner bind so you don't inadvertently grant scopes. 3) Generation is paid: ensure any token you provide has minimal scopes and you understand pricing behavior (estimate vs generate). Recommendations before installing or running in live mode: - Start in mock mode (do not set RYNJER_USE_LIVE) to verify behavior locally. - If you enable live mode, only set RYNJER_ACCESS_TOKEN when you trust the Rynjer endpoint and have a token with minimal scopes. - Confirm the BASE_URL is the official service you expect; the code will use it directly. - Review the owner-bind/key creation process (out-of-band via UI) so you don't expose credentials to untrusted agents. - If you need stronger guarantees, ask the publisher to update registry metadata to declare the required env vars and clarify the exact auth steps and minimal scopes.

Like a lobster shell, security has layers — review code before you run it.

latestvk97127gwnk72x61thh37xd51kh836wd1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments