← 返回 Skills 市场

Hana Image Gen MacOS

Name: Hana Image Gen MacOS
Author: eardori

作者 eardori · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install hana-image-gen-macos

功能描述

MacOS Gemini image gen via OpenRouter for OpenClaw agents. Auto-wait, gen, send image.

使用说明 (SKILL.md)

Hana Image Gen Pro (MacOS)

Agent Workflow

message action=send text="⏳ Generating image for: $prompt"
cd scripts && OPENROUTER_API_KEY=$OPENROUTER_API_KEY python3 gen.py "$prompt"
IMAGE=$(cat ../output.json | jq -r .paths[0])
message action=send media=$IMAGE caption="Generated: $prompt 😏" NO_REPLY.

Required Env

OPENROUTER_API_KEY, TELEGRAM_BOT_TOKEN (global .env)

安全使用建议

This skill appears to be trying to do what it says (generate images via OpenRouter) but contains several inconsistencies and bugs you should resolve before installing or running it with real secrets: - Do not provide credentials until fixed: OPENROUTER_API_KEY is required by the script; TELEGRAM_BOT_TOKEN is listed but unused — clarify whether the skill actually needs a Telegram token. The package metadata should declare required env vars correctly. - Fix the runtime mismatch: SKILL.md expects ../output.json but scripts/gen.py prints JSON to stdout and writes image files to /tmp. Either change SKILL.md to capture stdout into ../output.json or modify gen.py to write ../output.json. As-is, the workflow will fail. - Fix the code bug: scripts/gen.py references item.get(b64_json) (an undefined name) when constructing a data URL; that will raise an error if that branch runs. Review and correct that logic. - Review external fetch behavior: the script downloads arbitrary URLs returned by OpenRouter and writes them to /tmp. This is expected for an image generator but entails network fetches and writing data to disk — run in a sandbox and limit exposure if you have strict security requirements. - Audit OpenRouter usage: the script posts to https://openrouter.ai; confirm you trust that service and that the API key scope is limited. Consider rate limits and log handling. If you need this skill, ask the publisher to (1) update metadata to declare OPENROUTER_API_KEY, (2) remove or justify TELEGRAM_BOT_TOKEN, (3) correct SKILL.md to match gen.py behavior (or vice-versa), and (4) fix the b64_json bug. Until these issues are addressed, treat the skill as untrusted and run only in an isolated environment.

功能分析

Type: OpenClaw Skill Name: hana-image-gen-macos Version: 1.0.0 The skill contains a shell injection vulnerability in the `SKILL.md` workflow, which passes the user-controlled `$prompt` variable directly into a shell command (`python3 gen.py "$prompt"`) without sanitization. While the `scripts/gen.py` file appears to be a legitimate implementation for interacting with the OpenRouter API (https://openrouter.ai), the architectural flaw in the workflow allows for potential Command Injection. There is also a functional discrepancy where the workflow attempts to read from `../output.json` while the script only outputs results to stdout.

能力标签

requires-sensitive-credentials

能力评估

⚠ Purpose & Capability

The skill claims to generate images via OpenRouter/Gemini, which legitimately requires an OPENROUTER_API_KEY — the included script uses that. However the registry metadata declares no required env vars while SKILL.md lists OPENROUTER_API_KEY and TELEGRAM_BOT_TOKEN. TELEGRAM_BOT_TOKEN is not used in the code, so its presence in SKILL.md is unexplained.

⚠ Instruction Scope

SKILL.md instructs the agent to run the script and then to read ../output.json with jq to extract the image path. The provided scripts/gen.py writes JSON to stdout (prints to stdout) and does not create ../output.json, so the instructions and code disagree and will fail as written. The SKILL.md also declares TELEGRAM_BOT_TOKEN required but the runtime steps do not reference or use it. The agent will download arbitrary image URLs returned by OpenRouter — expected for this purpose but worth noting as external network fetching and file writes to /tmp occur.

✓ Install Mechanism

There is no install spec; this is instruction-plus-script only. No remote downloads or install-time archive extraction are present in the package, which is the lower-risk pattern for install mechanisms.

⚠ Credentials

The code legitimately requires OPENROUTER_API_KEY. TELEGRAM_BOT_TOKEN is listed in SKILL.md but not referenced anywhere in the code, and the registry metadata lists no required env vars — this mismatch is disproportionate and unclear. The script performs network calls and downloads images from URLs returned by OpenRouter; no other secrets are requested.

✓ Persistence & Privilege

The skill does not request permanent/always presence and does not modify system or other skills' configs. It runs on demand and writes output files to /tmp only.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install hana-image-gen-macos
安装完成后，直接呼叫该 Skill 的名称或使用 /hana-image-gen-macos 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

hana-image-gen-macos v1.0.0 - Initial release of Hana Image Gen Pro for MacOS. - Enables Gemini image generation via OpenRouter for OpenClaw agents. - Automated workflow: notifies on start, generates image, and sends result without reply. - Requires OPENROUTER_API_KEY and TELEGRAM_BOT_TOKEN environment variables.

元数据

Slug hana-image-gen-macos

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题