← Back to Skills Marketplace

Skill X Post Ai Image

Name: Skill X Post Ai Image
Author: zero2ai-hub

by Zero2Ai · GitHub ↗ · v1.0.1

cross-platform ⚠ suspicious

424

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install skill-x-post-ai-image

Description

Generate an AI image via Gemini and post it to X (Twitter) using OAuth1. Supports text-only or text+image tweets.

Usage Guidance

This skill appears to do what it claims (generate a Gemini image and post it to X), but the package metadata is incomplete and brittle. Before installing or running it: (1) Do not paste secrets into your environment unless you trust the source — the script requires X OAuth1 keys and GEMINI_API_KEY but the registry did not declare them. (2) Verify and/or supply the nano-banana-pro generate_image.py it calls — the script defaults to a hard-coded path outside the bundle; inspect that file so you know what code will run. (3) Ensure Python dependencies (Pillow, requests_oauthlib) are installed in a controlled environment. (4) Prefer running this in an isolated/test environment first and confirm xurl and uv are the expected CLIs. If you need to proceed safely, ask the publisher to update the registry: declare required env vars, list Python dependencies, and avoid hard-coded paths or include the image-generation implementation instead of relying on another skill's file.

Capability Analysis

Type: OpenClaw Skill Name: skill-x-post-ai-image Version: 1.0.1 The skill is classified as suspicious due to significant potential vulnerabilities, primarily the Remote Code Execution (RCE) risk in `scripts/post_with_image.py`. The script allows the path to the `nano-banana-pro` skill's script to be overridden by the `NANO_BANANA_SCRIPT` environment variable. If an attacker can control this environment variable (e.g., via prompt injection against the OpenClaw agent), they could execute arbitrary code. Additionally, the script relies on external binaries (`uv`, `xurl`) and passes user-controlled input to them, creating a potential vulnerability chain if these downstream components are not robust against command injection.

Capability Assessment

ℹ Purpose & Capability

Name/description (Gemini image → post to X) match the included script and SKILL.md. Declared required binaries (uv, xurl) match what the script runs. However the registry metadata lists no required env vars or credentials even though the runtime needs X OAuth keys and a GEMINI_API_KEY, so the manifest is incomplete.

⚠ Instruction Scope

SKILL.md and the script require environment variables (GEMINI_API_KEY, X_CONSUMER_KEY, X_CONSUMER_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET) and instruct running a separate nano-banana-pro script; those env vars are not declared in the registry metadata. The script reads X_* creds at module import time (os.environ[...] without defaults), which will raise immediately if absent. The instructions also assume presence of another skill's script at a hard-coded path (/home/linuxbrew/.../nano-banana-pro/scripts/generate_image.py), which is outside this skill's bundle and could be missing or point to unexpected code.

ℹ Install Mechanism

There is no install spec (instruction-only), which keeps disk write risk low. But the Python script depends on packages (Pillow, requests_oauthlib) that are neither declared nor installed by the skill; runtime will fail unless the environment already has these. The reliance on an external skill's script path is brittle and raises supply-chain/availability concerns.

⚠ Credentials

The skill requires multiple sensitive credentials (X OAuth1 consumer/consumer_secret/access token/secret and GEMINI_API_KEY) to function, which are proportionate to the stated purpose. The problem is these required credentials are not declared in the registry metadata (required env vars: none / primary credential: none), increasing the chance a user will supply secrets in an unexpected way. The script also passes GEMINI_API_KEY into a subprocess environment and base64-encodes image data for upload (expected for Twitter), but lack of explicit declaration and documentation in the registry is a notable mismatch.

✓ Persistence & Privilege

The skill does not request always:true and does not modify other skills or system-wide settings. It runs as an on-demand command/script with no persistent presence declared.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install skill-x-post-ai-image
After installation, invoke the skill by name or use /skill-x-post-ai-image
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.1

- No changes detected in this version. - Functionality, documentation, and setup remain the same as the previous release.

v1.0.0

Post to X/Twitter with Gemini-generated images. One command: text prompt → AI image → published tweet. Supports text-only mode.

Metadata

Slug skill-x-post-ai-image

Version 1.0.1

License —

All-time Installs 1

Active Installs 1

Total Versions 2

Frequently Asked Questions

What is Skill X Post Ai Image?

Generate an AI image via Gemini and post it to X (Twitter) using OAuth1. Supports text-only or text+image tweets. It is an AI Agent Skill for Claude Code / OpenClaw, with 424 downloads so far.

How do I install Skill X Post Ai Image?

Run "/install skill-x-post-ai-image" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Skill X Post Ai Image free?

Yes, Skill X Post Ai Image is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Skill X Post Ai Image support?

Skill X Post Ai Image is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Skill X Post Ai Image?

It is built and maintained by Zero2Ai (@zero2ai-hub); the current version is v1.0.1.

More Skills