← Back to Skills Marketplace
Playwright Dev
by
icesumer-lgtm
· GitHub ↗
· v1.0.0
· MIT-0
571
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install playwright-dev
Description
Generate/edit images with Nano Banana Pro (Gemini 3 Pro Image). Use for image create/modify requests incl. edits. Supports text-to-image + image-to-image; 1K...
Usage Guidance
Do not trust or run scripts from this skill bundle as-is. Specific steps to consider:
- Stop and inspect: The package includes many unrelated files and at least one file with plaintext secrets (API keys, app secrets, tokens). Do not run any scripts until these are removed/validated.
- Verify the implementation: Open the generate_image.py(s) that SKILL.md refers to and audit for arbitrary network calls, file reads/writes, or code that uploads files or environment variables to unknown endpoints. Search for any occurrences of hardcoded URLs, 'requests', 'urllib', 'socket', or subprocess/exec calls.
- Remove secrets and unrelated files: If you only want the image helper, extract the minimal generate_image.py and supporting modules; remove the rest of the workspace and any files containing credentials. Ensure no plaintext secrets remain.
- Avoid sharing keys in chat/CLI: Prefer setting GEMINI_API_KEY in a safe environment and avoid pasting API keys into chat messages or command-line arguments that could be logged.
- Run safely: If you must try the skill, run it in an isolated environment (throwaway VM or container) with network access restricted, and monitor outbound connections. Inspect network traffic to confirm calls go only to expected Gemini/Google endpoints.
- Consider sourcing: The skill has no homepage and unknown source; prefer official SDKs or well-known wrappers for Gemini / Google image APIs.
If you want, I can (a) scan the generate_image.py file for network/call patterns and suspicious code, (b) search the bundle for plaintext secrets and list them so you can remove them, or (c) help extract a minimal, sanitized version of the image script that only connects to the documented Gemini endpoint.
Capability Analysis
Type: OpenClaw Skill
Name: playwright-dev
Version: 1.0.0
The skill bundle contains multiple hardcoded sensitive credentials, including an Aliyun API key (sk-1f3847debc3e492e81f64115b20c6d82) and a Feishu App Secret (t0am3JU79N9TSEPgrk7GKbVLHmCdRGUe) across several files like fetch_feishu_docs.py and vectorize-and-store.py. It also utilizes risky execution patterns, such as using execSync to run system commands like robocopy and chrome.exe in hooks/gateway-restart-protection/handler.js and scripts/triple-line-sync.js. While these appear to be part of an extensive personal automation framework ('Axiang'), the inclusion of live secrets and the use of shell execution for file management present significant security vulnerabilities.
Capability Assessment
Purpose & Capability
The SKILL.md describes an image-generation/editing helper for Gemini (Nano Banana Pro) and expects an API key (GEMINI_API_KEY). However the package contains a large, general-purpose workspace (hundreds of files, agents/, dashboards/, backups, many scripts) unrelated to a single image tool. The skill metadata declares no required env or binaries, yet instructions reference GEMINI_API_KEY and the 'uv' binary. The presence of many unrelated files (agents, dashboards, backups) is disproportionate to the stated single-purpose image generator.
Instruction Scope
SKILL.md runtime instructions are narrowly about running a generate_image.py script, passing --api-key or GEMINI_API_KEY and reading a local input image when editing. That scope would be reasonable, but the SKILL.md contains prompt-injection indicators (see scan findings) and references absolute paths (~/.codex/skills/nano-banana-pro/scripts/...), yet the archive's file manifest shows generate_image.py located under different paths (clawhub skills/... and scripts/...), indicating a path mismatch which may cause the agent to search the filesystem unpredictably. The instructions allow passing an API key on the command line or in-chat (useful but risky), and they instruct checking files in the current working directory — expected for image edits but could be abused to read local files if code is malicious. Overall the explicit runtime instructions are narrow but there is suspicious/incoherent content and injection patterns.
Install Mechanism
The skill declares no install spec (instruction-only), which would normally be low-risk. Yet the uploaded bundle clearly contains many code files (93+ listed) and a 615-file manifest — inconsistent with 'instruction-only'. Because there is no explicit install step, an agent or user following SKILL.md might execute scripts directly from various paths. The mismatch between 'no install' and many included files increases risk: the package includes many unrelated artifacts and embedded secrets, and there is no controlled install provenance.
Credentials
Registry metadata declared no required env vars, but SKILL.md expects GEMINI_API_KEY (or --api-key). More importantly, the archive contains files with plaintext API keys, app secrets, tokens and other credentials (for example 2026-3-10afu的js备份.txt contains multiple API keys, appSecret, verificationToken, etc.) unrelated to image generation. That is a serious red flag: the bundle includes sensitive credentials that the skill neither declares nor justifies. Requiring/accepting a user API key as a command-line/chat parameter is plausible, but combined with embedded secrets and unrelated service credentials this is disproportionate.
Persistence & Privilege
The skill does not request always:true and does not declare persistent privileges. That said, the bundle itself contains many files that indicate a broad workspace (agents, memory, tokens). Installing or running scripts from this bundle could give code access to many unrelated local files. The skill does not explicitly request to modify other skills or system settings, but the presence of general workspace files increases the blast radius if code is executed.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install playwright-dev - After installation, invoke the skill by name or use
/playwright-dev - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Nano Banana Pro image generation & editing skill initial release:
- Enables both new image creation and image editing using Google's Gemini 3 Pro Image API.
- Supports prompt-based text-to-image and image-to-image workflows with 1K, 2K, or 4K resolutions.
- Introduces a clear filename scheme: `{timestamp}-{descriptive-name}.png` for easy organization.
- Handles resolution requests and API keys with user-friendly defaults and error messages.
- Provides robust usage documentation, editing instructions, and high-quality prompt templates for better results.
Metadata
Frequently Asked Questions
What is Playwright Dev?
Generate/edit images with Nano Banana Pro (Gemini 3 Pro Image). Use for image create/modify requests incl. edits. Supports text-to-image + image-to-image; 1K... It is an AI Agent Skill for Claude Code / OpenClaw, with 571 downloads so far.
How do I install Playwright Dev?
Run "/install playwright-dev" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Playwright Dev free?
Yes, Playwright Dev is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Playwright Dev support?
Playwright Dev is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Playwright Dev?
It is built and maintained by icesumer-lgtm (@icesumer-lgtm); the current version is v1.0.0.
More Skills