← Back to Skills Marketplace
Qwen Comic Gen
by
icesumer-lgtm
· GitHub ↗
· v1.0.0
· MIT-0
614
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install qwen-comic-gen
Description
Generate/edit images with Nano Banana Pro (Gemini 3 Pro Image). Use for image create/modify requests incl. edits. Supports text-to-image + image-to-image; 1K...
Usage Guidance
What to consider before installing or running this skill:
- Don’t run it as-is. The package contains a large unrelated workspace and plaintext credentials (API keys, app secrets, tokens) which are exposed in files included with the skill. An image-generation helper does not need these.
- Verify the actual script to be executed. Open the generate_image.py file that will be run (and any helpers it imports) and search for network calls (requests/http client), file I/O beyond image read/write, and any code that reads other config files or home-directory paths. Confirm endpoints and that no unexpected remote endpoints are contacted.
- Confirm script path and provenance. SKILL.md references ~/.codex/skills/nano-banana-pro/scripts/generate_image.py but repository paths differ (scripts/generate_image.py, clawhub skills/... ). Ask the publisher which file is authoritative and why the bundle contains unrelated workspace files.
- Remove or secure embedded secrets. The bundle includes plaintext secrets (example: 2026-3-10afu的js备份.txt and various config files). These should be removed before installing or the package should be republished without any secret/config dumps.
- Run in an isolated sandbox. If you need to test, run the script in a disposable VM/container with no access to your real home or credentials to limit blast radius.
- Avoid pasting API keys in chat. Prefer using environment variables set only in a controlled runtime, and never pass sensitive keys in a public or untrusted UI.
- Ask the author for a minimal, audited release. A trustworthy skill should contain only the files needed (single controlled script or small package), clear install instructions from a known release host (GitHub release, official registry), and no extraneous secrets or large unrelated workspaces.
If you want, I can:
- Inspect the specific generate_image.py files in this bundle (show me the file contents) and list every external endpoint and file path they touch.
- Search the repo for 'GEMINI', 'apiKey', 'appSecret', 'token', 'http', 'requests', 'urllib' to highlight suspicious code paths.
Capability Analysis
Type: OpenClaw Skill
Name: qwen-comic-gen
Version: 1.0.0
The skill bundle contains several high-risk security vulnerabilities, most notably a potential Remote Code Execution (RCE) flaw in 'mermaid_generator.py' and 'scripts/mermaid-generator.py' due to the use of 'shell=True' within 'subprocess.run' on user-provided inputs. Additionally, multiple scripts (e.g., 'fetch_feishu_docs.py', 'scripts/debug-search-step.py', 'scripts/vectorize-and-store.py', and 'vectorize_all.py') contain hardcoded Aliyun API keys and Feishu App Secrets. While these appear to be functional tools for a personal automation environment, the combination of exposed credentials and unsafe command execution patterns poses a significant security risk.
Capability Assessment
Purpose & Capability
The skill is named/marketed as 'Qwen Comic Gen' / Nano Banana Pro (Gemini 3 Pro Image) but the SKILL.md uses a different internal name (nano-banana-pro) and expects a script at ~/.codex/skills/nano-banana-pro/scripts/generate_image.py. The repository contains many unrelated projects/files (615 files) and many scripts under different paths (e.g., scripts/generate_image.py, clawhub skills/scripts/generate_image.py). A simple image-generation helper would not legitimately include large unrelated workspace files, agent configs, or plaintext secrets found here. The mismatch of names (Qwen vs Nano Banana Pro/Gemini) is also inconsistent.
Instruction Scope
The runtime instructions tell the agent/user to execute a local Python script via 'uv run' at a hard-coded absolute path. That will execute arbitrary code from disk; because the bundle contains many scripts, it's unclear which file will be run in a given installation. The SKILL.md requires/reads an API key either from --api-key or GEMINI_API_KEY—which is reasonable for a generator—but the package also contains many other configuration files and credentials unrelated to image generation. The SKILL.md does not explicitly instruct reading other workspace files, but the presence of many scripts and the absolute path instruction increases the risk the script will access other local files (including the plaintext secrets present).
Install Mechanism
There is no formal install spec (instruction-only), which normally lowers risk; however the published bundle includes 93 code files and 615 total files from an entire workspace. Packaging a whole workspace without a clear install step or trusted release source is disproportionate to the claimed purpose. It increases the chance that opportunistic or unrelated files (or accidental secret dumps) are present and will be used by the runtime script.
Credentials
SKILL.md declares only GEMINI_API_KEY (via env or CLI) which is appropriate. But the package contains multiple configuration files (e.g., 2026-3-10afu的js备份.txt, openclaw configs) with numerous plaintext API keys, app secrets, tokens and other credentials unrelated to Gemini image generation. Those embedded credentials are not justified by the skill description and present a sensitive data exposure risk if the skill or its scripts read or transmit workspace files.
Persistence & Privilege
always:false and no declared persistence. The skill instructs running a script from an absolute path under ~/.codex which implies expectation of a skill-installed location in the user's home. That pattern is not inherently privileged, but because the bundle contains extensive workspace files and secrets, granting the skill runtime execution permission increases blast radius. Autonomous invocation is enabled by default (normal), but combined with the other red flags the ability to run local scripts autonomously is notable.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install qwen-comic-gen - After installation, invoke the skill by name or use
/qwen-comic-gen - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Nano Banana Pro image generation and editing initial release:
- Generate new images or edit existing ones using Gemini 3 Pro Image API.
- Supports text-to-image and image-to-image workflows; choose 1K, 2K, or 4K resolution.
- Handles API key via CLI argument or environment variable.
- Smart filename generation using timestamp and prompt keywords.
- Output images saved to current working directory; clear error handling for common failures.
- Includes workflow tips, prompt suggestions, and resolution mapping.
Metadata
Frequently Asked Questions
What is Qwen Comic Gen?
Generate/edit images with Nano Banana Pro (Gemini 3 Pro Image). Use for image create/modify requests incl. edits. Supports text-to-image + image-to-image; 1K... It is an AI Agent Skill for Claude Code / OpenClaw, with 614 downloads so far.
How do I install Qwen Comic Gen?
Run "/install qwen-comic-gen" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Qwen Comic Gen free?
Yes, Qwen Comic Gen is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Qwen Comic Gen support?
Qwen Comic Gen is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Qwen Comic Gen?
It is built and maintained by icesumer-lgtm (@icesumer-lgtm); the current version is v1.0.0.
More Skills