ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Yummy Gen Image

v1.0.0

Use when the user wants to generate or edit raster images with Gemini through yummycli, including prompt-only generation, single-image editing, and multi-ima...

0· 14·0 current·0 all-time
by@yummysource
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, required binary (yummycli), and primary credential (GEMINI_API_KEY) align with an image-generation skill that calls Gemini via a CLI. The declared dependency on a related 'yummy-shared' skill is plausible for shared configuration or auth.
Instruction Scope
SKILL.md only instructs running yummycli with prompt and optional local reference images, and describes CLI flags and defaults. It references local files (input-image paths) and current working directory output behavior — expected for an image-generation CLI. It does not instruct reading unrelated system files or exfiltrating data to unknown endpoints.
!
Install Mechanism
Registry metadata stated 'No install spec / instruction-only', but SKILL.md contains an install block that would install the npm package @yummysource/yummycli (providing the yummycli binary). That mismatch (metadata vs SKILL.md) is an inconsistency. The npm install approach itself is common but carries moderate risk: @yummysource is a scoped npm package (not a well-known vendor), so the package source and contents should be reviewed before installing.
Credentials
The skill declares GEMINI_API_KEY as the primary credential — appropriate for a Gemini-backed image generator. However, the registry summary earlier listed 'Required env vars: none' while the skill later declares a primaryEnv of GEMINI_API_KEY; this discrepancy should be resolved. No other credentials are requested in SKILL.md.
Persistence & Privilege
The skill does not request always:true and defaults to normal user-invocable/autonomous capabilities. It does not ask to modify other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (run yummycli to generate/edit images via Gemini), but there are a couple of things to check before installing: - Confirm the install behavior: SKILL.md contains an npm install for @yummysource/yummycli, but the registry metadata claimed there was no install spec. Ask the publisher which is authoritative and inspect the npm package contents (or the package's repository) before running install. - Verify the package source and maintainership (@yummysource scope). If you can't inspect it, consider running in a sandboxed environment or container. - Ensure the GEMINI_API_KEY you supply has appropriate, minimal permissions and rotate it if you later remove the skill. Understand that local image files passed as --input-image will be read and likely uploaded to Gemini by the CLI. - Check and test the related yummy-shared skill: the skill asks that it be applied first; review it for any additional env vars or behaviors. If the registry metadata is corrected (explicitly lists GEMINI_API_KEY in required env vars and documents the npm install) and you audit the npm package, the remaining footprint looks proportionate. If you cannot verify the package or the metadata mismatch isn't explained, avoid installing or run it in a restricted sandbox.

Like a lobster shell, security has layers — review code before you run it.

latestvk975j63wwnbq6cjzx9qjxj146984pn8s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsyummycli
Primary envGEMINI_API_KEY

Comments