Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Gemini Nano Images
v1.0.0Generate ultra-realistic images and Instagram content using Gemini 2.0 Flash Experimental. Use when creating photorealistic images, social media content, or...
⭐ 0· 296·0 current·0 all-time
byNEO@vitja1988
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code and SKILL.md implement image and Instagram-post generation using Gemini, which matches the skill name and description. However the registry metadata declares no required environment variables or primary credential while the runtime instructions and scripts clearly require GEMINI_API_KEY—this metadata mismatch is unexplained.
Instruction Scope
Most runtime instructions are scoped to image and caption generation and saving files. However the SKILL.md includes a 'Stock-Only Mode' section that instructs the user/agent to cd into ~/.openclaw/workspace/skills/ig-automation and run smart_poster_v4.py to change posting modes—this references and modifies another skill's files and runtime behavior outside this skill's domain, which is scope creep and a potential risk if executed by an agent.
Install Mechanism
There is no formal install spec (instruction-only plus included scripts). The SKILL.md recommends pip install google-genai which is a reasonable dependency for Gemini access. Lack of an install manifest means the package won't be centrally vetted/installed by the platform—verify the pip package source and audit the scripts before running.
Credentials
The skill requires a Gemini API key (GEMINI_API_KEY) according to SKILL.md and both scripts, which is proportionate for an image-generation skill. The problem is the registry metadata claims no required env vars or primary credential—this inconsistency could hide required secrets or lead to unexpected behavior. No other credentials are requested.
Persistence & Privilege
The skill is not marked always:true and is user-invocable, which is appropriate. However the instructions for interacting with ~/.openclaw/workspace/skills/ig-automation and running smart_poster_v4.py to change posting modes imply the skill may direct or advise modifying other skills' configuration or behavior—this cross-skill modification is a privilege escalation risk if an agent performs it automatically.
What to consider before installing
This skill's code and docs implement Gemini-based image + caption generation and require a GEMINI_API_KEY and the google-genai package—verify those before use. Red flags: the registry metadata lists no required env var but the scripts need GEMINI_API_KEY; model names differ between docs and code (gemini-2.0-flash-exp vs gemini-2.5-flash-image); and the SKILL.md tells you to cd into and run scripts from another skill (ig-automation) to set 'stock_only' mode, which would modify other skill behavior. Actions to take before installing: (1) Confirm the GEMINI_API_KEY source and only provide it to trusted skills; (2) Inspect/run the included Python scripts in a sandbox to verify they do only the expected API calls and file writes; (3) Do not run the Stock-Only Mode commands (or run them only after reviewing the external ig-automation code) unless you trust that other skill; (4) Ask the publisher to fix the metadata (declare GEMINI_API_KEY) and to clarify the model names and cross-skill instructions. If you cannot validate these points, treat the skill as untrusted and avoid installing or granting it automated execution rights.Like a lobster shell, security has layers — review code before you run it.
latestvk97cz9q9407nca9ph3km03jtwh8255rx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.