← Back to Skills Marketplace
Yummy Shared
by
yummysource
· GitHub ↗
· v1.1.0
· MIT-0
131
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install yummy-shared
Description
Use when operating yummycli for the first time, checking Gemini credential status, handling yummycli JSON command output, or applying shared CLI safety rules...
Usage Guidance
This skill appears to do what it claims (help run yummycli and check Gemini auth) but has several things to verify before trusting it: 1) The SKILL.md asks to install @yummysource/yummycli from npm—confirm that package and publisher are legitimate (check npm page, GitHub source, and owner identity) before allowing installs. 2) The skill is marked always: true; ask whether you need it active for every agent run — if not, disable always so it only runs when explicitly invoked. 3) Avoid embedding API keys on the command line (the docs show --api-key "<api-key>") because that can leak secrets; prefer configuring GEMINI_API_KEY in the environment or using the CLI's secure config. 4) Because there's no homepage or source listed, exercise extra caution: if you can't verify the npm package or the owner, do not install, or sandbox the install. If you decide to proceed, set GEMINI_API_KEY only when needed and monitor for unexpected network activity or unexpected modifications to system binaries.
Capability Analysis
Type: OpenClaw Skill
Name: yummy-shared
Version: 1.1.0
The skill bundle provides standard operational instructions and safety rules for an AI agent to interact with the 'yummycli' tool for Gemini-based image and video generation. The SKILL.md file defines legitimate authentication procedures, output parsing logic, and safety constraints without any evidence of malicious intent, data exfiltration, or harmful prompt injection.
Capability Tags
Capability Assessment
Purpose & Capability
Name, description, required binary (yummycli), and required env (GEMINI_API_KEY) match the stated purpose of managing yummycli/Gemini usage. However, there's an inconsistency: the registry metadata said 'no install spec / instruction-only', yet the SKILL.md includes an 'install' entry that installs an npm package (@yummysource/yummycli). The presence of an npm install in SKILL.md is plausible for providing the yumycli binary but contradicts the earlier metadata.
Instruction Scope
Runtime instructions are narrowly scoped to checking auth status, initializing Gemini, parsing yummycli JSON stdout, and enforcing simple safety rules (use local user-provided files, preserve flag order, report output). No instructions ask to read other system files. Warning: the docs show passing an API key directly on the command line (yummycli gemini init --api-key "<api-key>") which risks exposing secrets via process lists or shell history; the SKILL.md also declares GEMINI_API_KEY as the primary credential, so prefer using the environment variable rather than embedding keys in CLI args.
Install Mechanism
SKILL.md specifies installing a Node package (@yummysource/yummycli) which is a moderate-risk install mechanism (public npm). The registry metadata elsewhere indicated 'no install spec', making this contradictory. There is no homepage/source url given in the registry to verify the package or author; that reduces the ability to audit the install. If you plan to allow the skill to install software, verify the npm package identity and trust the publisher.
Credentials
The only required environment variable is GEMINI_API_KEY, which is proportional for a skill that manages Gemini-based image generation. No unrelated credentials are requested. Note the combination of a required credential plus the CLI-pattern shown (embedding keys) increases the chance of accidental secret leakage if users copy/paste commands.
Persistence & Privilege
The skill is marked always: true, meaning it will be force-included in every agent run. That is a significant privilege for a helper that merely enforces CLI safety rules; always: true is not clearly justified. Combined with autonomous invocation and access to GEMINI_API_KEY, this raises the blast radius if the skill or its installable package is compromised. Consider removing always: true or require explicit invocation.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install yummy-shared - After installation, invoke the skill by name or use
/yummy-shared - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
- Expanded output contract documentation to include both image and video JSON response examples.
- Clarified that all `yummycli` generation commands return JSON on stdout, not just image commands.
v1.0.0
yummy-shared 1.0.0
- Initial release of shared operating rules for the yummycli command-line tool.
- Provides setup instructions for Gemini provider authentication.
- Describes JSON output contract for yummycli image commands.
- Details shared CLI safety requirements for image generation and editing.
- Lists requirements for usage, including the GEMINI_API_KEY environment variable and yummycli binary.
Metadata
Frequently Asked Questions
What is Yummy Shared?
Use when operating yummycli for the first time, checking Gemini credential status, handling yummycli JSON command output, or applying shared CLI safety rules... It is an AI Agent Skill for Claude Code / OpenClaw, with 131 downloads so far.
How do I install Yummy Shared?
Run "/install yummy-shared" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Yummy Shared free?
Yes, Yummy Shared is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Yummy Shared support?
Yummy Shared is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Yummy Shared?
It is built and maintained by yummysource (@yummysource); the current version is v1.1.0.
More Skills