← 返回 Skills 市场

Playwright Dev

Name: Playwright Dev
Author: icesumer-lgtm

作者 icesumer-lgtm · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

571

总下载

当前安装

版本数

在 OpenClaw 中安装

/install playwright-dev

功能描述

Generate/edit images with Nano Banana Pro (Gemini 3 Pro Image). Use for image create/modify requests incl. edits. Supports text-to-image + image-to-image; 1K...

安全使用建议

Do not trust or run scripts from this skill bundle as-is. Specific steps to consider: - Stop and inspect: The package includes many unrelated files and at least one file with plaintext secrets (API keys, app secrets, tokens). Do not run any scripts until these are removed/validated. - Verify the implementation: Open the generate_image.py(s) that SKILL.md refers to and audit for arbitrary network calls, file reads/writes, or code that uploads files or environment variables to unknown endpoints. Search for any occurrences of hardcoded URLs, 'requests', 'urllib', 'socket', or subprocess/exec calls. - Remove secrets and unrelated files: If you only want the image helper, extract the minimal generate_image.py and supporting modules; remove the rest of the workspace and any files containing credentials. Ensure no plaintext secrets remain. - Avoid sharing keys in chat/CLI: Prefer setting GEMINI_API_KEY in a safe environment and avoid pasting API keys into chat messages or command-line arguments that could be logged. - Run safely: If you must try the skill, run it in an isolated environment (throwaway VM or container) with network access restricted, and monitor outbound connections. Inspect network traffic to confirm calls go only to expected Gemini/Google endpoints. - Consider sourcing: The skill has no homepage and unknown source; prefer official SDKs or well-known wrappers for Gemini / Google image APIs. If you want, I can (a) scan the generate_image.py file for network/call patterns and suspicious code, (b) search the bundle for plaintext secrets and list them so you can remove them, or (c) help extract a minimal, sanitized version of the image script that only connects to the documented Gemini endpoint.

功能分析

Type: OpenClaw Skill Name: playwright-dev Version: 1.0.0 The skill bundle contains multiple hardcoded sensitive credentials, including an Aliyun API key (sk-1f3847debc3e492e81f64115b20c6d82) and a Feishu App Secret (t0am3JU79N9TSEPgrk7GKbVLHmCdRGUe) across several files like fetch_feishu_docs.py and vectorize-and-store.py. It also utilizes risky execution patterns, such as using execSync to run system commands like robocopy and chrome.exe in hooks/gateway-restart-protection/handler.js and scripts/triple-line-sync.js. While these appear to be part of an extensive personal automation framework ('Axiang'), the inclusion of live secrets and the use of shell execution for file management present significant security vulnerabilities.

能力评估

⚠ Purpose & Capability

The SKILL.md describes an image-generation/editing helper for Gemini (Nano Banana Pro) and expects an API key (GEMINI_API_KEY). However the package contains a large, general-purpose workspace (hundreds of files, agents/, dashboards/, backups, many scripts) unrelated to a single image tool. The skill metadata declares no required env or binaries, yet instructions reference GEMINI_API_KEY and the 'uv' binary. The presence of many unrelated files (agents, dashboards, backups) is disproportionate to the stated single-purpose image generator.

⚠ Instruction Scope

SKILL.md runtime instructions are narrowly about running a generate_image.py script, passing --api-key or GEMINI_API_KEY and reading a local input image when editing. That scope would be reasonable, but the SKILL.md contains prompt-injection indicators (see scan findings) and references absolute paths (~/.codex/skills/nano-banana-pro/scripts/...), yet the archive's file manifest shows generate_image.py located under different paths (clawhub skills/... and scripts/...), indicating a path mismatch which may cause the agent to search the filesystem unpredictably. The instructions allow passing an API key on the command line or in-chat (useful but risky), and they instruct checking files in the current working directory — expected for image edits but could be abused to read local files if code is malicious. Overall the explicit runtime instructions are narrow but there is suspicious/incoherent content and injection patterns.

⚠ Install Mechanism

The skill declares no install spec (instruction-only), which would normally be low-risk. Yet the uploaded bundle clearly contains many code files (93+ listed) and a 615-file manifest — inconsistent with 'instruction-only'. Because there is no explicit install step, an agent or user following SKILL.md might execute scripts directly from various paths. The mismatch between 'no install' and many included files increases risk: the package includes many unrelated artifacts and embedded secrets, and there is no controlled install provenance.

⚠ Credentials

Registry metadata declared no required env vars, but SKILL.md expects GEMINI_API_KEY (or --api-key). More importantly, the archive contains files with plaintext API keys, app secrets, tokens and other credentials (for example 2026-3-10afu的js备份.txt contains multiple API keys, appSecret, verificationToken, etc.) unrelated to image generation. That is a serious red flag: the bundle includes sensitive credentials that the skill neither declares nor justifies. Requiring/accepting a user API key as a command-line/chat parameter is plausible, but combined with embedded secrets and unrelated service credentials this is disproportionate.

ℹ Persistence & Privilege

The skill does not request always:true and does not declare persistent privileges. That said, the bundle itself contains many files that indicate a broad workspace (agents, memory, tokens). Installing or running scripts from this bundle could give code access to many unrelated local files. The skill does not explicitly request to modify other skills or system settings, but the presence of general workspace files increases the blast radius if code is executed.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install playwright-dev
安装完成后，直接呼叫该 Skill 的名称或使用 /playwright-dev 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Nano Banana Pro image generation & editing skill initial release: - Enables both new image creation and image editing using Google's Gemini 3 Pro Image API. - Supports prompt-based text-to-image and image-to-image workflows with 1K, 2K, or 4K resolutions. - Introduces a clear filename scheme: `{timestamp}-{descriptive-name}.png` for easy organization. - Handles resolution requests and API keys with user-friendly defaults and error messages. - Provides robust usage documentation, editing instructions, and high-quality prompt templates for better results.

元数据

Slug playwright-dev

版本 1.0.0

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 1

常见问题

Playwright Dev 是什么？

Generate/edit images with Nano Banana Pro (Gemini 3 Pro Image). Use for image create/modify requests incl. edits. Supports text-to-image + image-to-image; 1K... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 571 次。

如何安装 Playwright Dev？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install playwright-dev」即可一键安装，无需额外配置。

Playwright Dev 是免费的吗？

是的，Playwright Dev 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Playwright Dev 支持哪些平台？

Playwright Dev 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Playwright Dev？

由 icesumer-lgtm（@icesumer-lgtm）开发并维护，当前版本 v1.0.0。