← 返回 Skills 市场
Poster Designer
作者
Andy Liang
· GitHub ↗
· v1.0.0
· MIT-0
114
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install poster-designer
功能描述
Create professional posters and visual designs using AI image generation. Supports event posters, product showcases, announcements, and social media graphics...
安全使用建议
This skill appears to implement what it claims (poster generation via Gemini) but has a couple of real implementation risks you should consider before installing or running it:
- Command injection risk: compose-poster.js builds an ImageMagick command string that includes user-provided text and executes it with execSync. If malicious or poorly sanitized text is passed into title/subtitle/other fields, that could allow arbitrary shell commands to run. Ask the author to switch to child_process.execFile/spawn with argument arrays, or to explicitly sanitize/escape inputs safely.
- .env loading risk: generate-poster.js automatically reads ../.env and imports every key into process.env. That can leak or accidentally use unrelated secrets stored in a repository-level .env. Keep other secrets out of that file, or modify the code to only load GEMINI_API_KEY or accept it exclusively from a secure environment store.
- API key handling: the script places the API key in the request URL (?key=...), which can be logged by proxies. Prefer Authorization: Bearer headers to reduce accidental exposure.
- Run in isolation: until these issues are addressed, run the skill in an isolated environment/container with minimal permissions and no extra secrets present in .env. Review the scripts yourself or request the upstream author to harden input handling and secret usage.
If you cannot accept these risks, do not install/run the skill; if you proceed, at minimum provide GEMINI_API_KEY via a controlled environment variable (not a repo .env with other secrets), and avoid passing untrusted text to the CLI without sanitization.
功能分析
Type: OpenClaw Skill
Name: poster-designer
Version: 1.0.0
The skill bundle contains a critical shell injection vulnerability in 'scripts/compose-poster.js'. The 'generateImageMagickCommand' function constructs a shell command for 'execSync' using user-provided inputs (such as titles, dates, and venues) with insufficient sanitization (only escaping double quotes), which allows for arbitrary command execution. While the bundle's logic is consistent with its stated purpose of poster design and Gemini API integration, this high-risk coding flaw could be exploited to compromise the host environment.
能力标签
能力评估
Purpose & Capability
Name/description match the code and docs: both scripts call the Gemini image generation API, offer templates, and compose text overlays. Required capability (GEMINI API access) is consistent with the stated purpose.
Instruction Scope
SKILL.md instructs users to set GEMINI_API_KEY and claims user content is not stored; the runtime code loads a .env file (path: scripts/../.env) and merges all key=value pairs into process.env if not already set, which can pull in unrelated secrets from a repo-level .env. The compose script constructs and execs an ImageMagick shell command that embeds user-provided text; user-supplied fields (title, subtitle, etc.) flow into shell commands without safe argument isolation, creating a command-injection risk.
Install Mechanism
No install spec; this is instruction+script-only. No external downloads or installers are declared, so installation risk is minimal. The scripts assume ImageMagick or a browser fallback (HTML), which is aligned with the task.
Credentials
The only declared secret is the Gemini API key (GEMINI_API_KEY), which is appropriate. However, the code loads an arbitrary .env file and imports all key/value pairs into process.env (not limited to GEMINI_API_KEY), which could unintentionally expose other secrets present on the host. The code also sends the API key as a query parameter in API requests (key=...), which may be logged by intermediaries; using Authorization: Bearer would be safer.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It will write generated outputs to disk (defaultOutputPath: /workspace/openclaw-data/exports and HTML files alongside inputs) which is normal for a poster generator, but you should be aware it creates files in the agent/workspace. No evidence it alters other skills or system-wide config.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install poster-designer - 安装完成后,直接呼叫该 Skill 的名称或使用
/poster-designer触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: AI-powered poster generation with Gemini API integration. Supports event posters, product showcases, announcements, and social media graphics.
元数据
常见问题
Poster Designer 是什么?
Create professional posters and visual designs using AI image generation. Supports event posters, product showcases, announcements, and social media graphics... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 114 次。
如何安装 Poster Designer?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install poster-designer」即可一键安装,无需额外配置。
Poster Designer 是免费的吗?
是的,Poster Designer 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Poster Designer 支持哪些平台?
Poster Designer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Poster Designer?
由 Andy Liang(@andylikescodes)开发并维护,当前版本 v1.0.0。
推荐 Skills