Gemini Nano Images
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The core image-generation scripts look straightforward, but the skill also documents running a separate Instagram posting automation with persistent mode changes that are outside the reviewed code.
The provided Gemini image and caption scripts are mostly purpose-aligned: they call Google's Gemini API and save local image/caption files. Before installing, be careful with the API key, install the dependency in a controlled environment, and avoid following the separate `ig-automation` stock-only/posting commands unless you have reviewed that tool and explicitly approve any public posts or persistent posting modes.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If followed blindly, an agent could move from generating assets into running a posting workflow that may affect a real Instagram account.
The image-generation skill tells the user/agent to change mode and run a separate Instagram automation tool, which can publish public content and is not bounded by clear approval or account-scope instructions.
cd ~/.openclaw/workspace/skills/ig-automation python3 smart_poster_v4.py --set-mode stock_only --stock-days 14 ... python3 smart_poster_v4.py
Only use the external posting workflow after separately reviewing that automation, confirming which account it controls, and requiring explicit approval before any public post.
The skill may lead an agent to run unreviewed code from another local skill for a high-impact social-media action.
The referenced `smart_poster_v4.py` helper is outside this skill's manifest and source contents, so its posting behavior, credential handling, and safety controls are not reviewable here.
cd ~/.openclaw/workspace/skills/ig-automation python3 smart_poster_v4.py --set-mode stock_only --stock-days 14
Do not run the referenced external script unless its source, dependencies, credentials, and posting safeguards have been reviewed separately.
A persistent posting mode could continue influencing future social-media automation after the immediate request is complete.
The documented workflow sets state in another automation that persists for 14 days and then automatically changes behavior, which extends beyond a single user-directed image-generation task.
Nach 14 Tagen automatischer Wechsel zu "auto" (KI + Stock)
Require clear user consent for any persistent mode change, document how to inspect or revert it, and avoid enabling scheduled/posting automation from this image-generation skill.
Your Gemini API key may be used for billable requests, and passing it on the command line can expose it in shell history or process listings.
The skill requires a Google Gemini API key even though the registry metadata declares no primary credential; this is expected for the Gemini API but users should protect the key.
export GEMINI_API_KEY="your-api-key-here" ... `-k, --api-key KEY` - Gemini API key
Prefer using the `GEMINI_API_KEY` environment variable or a secret manager, avoid sharing prompts containing sensitive data, and monitor API usage.
Installing packages manually can introduce dependency or version risks if done in a shared or untrusted Python environment.
The skill relies on a manually installed, unpinned external Python package; this is normal for a Gemini SDK integration but is not captured in an install spec.
pip install google-genai
Install `google-genai` in a virtual environment from the official package index and pin or record the version for reproducibility.