← 返回 Skills 市场
Qwen Comic Gen
作者
icesumer-lgtm
· GitHub ↗
· v1.0.0
· MIT-0
614
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install qwen-comic-gen
功能描述
Generate/edit images with Nano Banana Pro (Gemini 3 Pro Image). Use for image create/modify requests incl. edits. Supports text-to-image + image-to-image; 1K...
安全使用建议
What to consider before installing or running this skill:
- Don’t run it as-is. The package contains a large unrelated workspace and plaintext credentials (API keys, app secrets, tokens) which are exposed in files included with the skill. An image-generation helper does not need these.
- Verify the actual script to be executed. Open the generate_image.py file that will be run (and any helpers it imports) and search for network calls (requests/http client), file I/O beyond image read/write, and any code that reads other config files or home-directory paths. Confirm endpoints and that no unexpected remote endpoints are contacted.
- Confirm script path and provenance. SKILL.md references ~/.codex/skills/nano-banana-pro/scripts/generate_image.py but repository paths differ (scripts/generate_image.py, clawhub skills/... ). Ask the publisher which file is authoritative and why the bundle contains unrelated workspace files.
- Remove or secure embedded secrets. The bundle includes plaintext secrets (example: 2026-3-10afu的js备份.txt and various config files). These should be removed before installing or the package should be republished without any secret/config dumps.
- Run in an isolated sandbox. If you need to test, run the script in a disposable VM/container with no access to your real home or credentials to limit blast radius.
- Avoid pasting API keys in chat. Prefer using environment variables set only in a controlled runtime, and never pass sensitive keys in a public or untrusted UI.
- Ask the author for a minimal, audited release. A trustworthy skill should contain only the files needed (single controlled script or small package), clear install instructions from a known release host (GitHub release, official registry), and no extraneous secrets or large unrelated workspaces.
If you want, I can:
- Inspect the specific generate_image.py files in this bundle (show me the file contents) and list every external endpoint and file path they touch.
- Search the repo for 'GEMINI', 'apiKey', 'appSecret', 'token', 'http', 'requests', 'urllib' to highlight suspicious code paths.
功能分析
Type: OpenClaw Skill
Name: qwen-comic-gen
Version: 1.0.0
The skill bundle contains several high-risk security vulnerabilities, most notably a potential Remote Code Execution (RCE) flaw in 'mermaid_generator.py' and 'scripts/mermaid-generator.py' due to the use of 'shell=True' within 'subprocess.run' on user-provided inputs. Additionally, multiple scripts (e.g., 'fetch_feishu_docs.py', 'scripts/debug-search-step.py', 'scripts/vectorize-and-store.py', and 'vectorize_all.py') contain hardcoded Aliyun API keys and Feishu App Secrets. While these appear to be functional tools for a personal automation environment, the combination of exposed credentials and unsafe command execution patterns poses a significant security risk.
能力评估
Purpose & Capability
The skill is named/marketed as 'Qwen Comic Gen' / Nano Banana Pro (Gemini 3 Pro Image) but the SKILL.md uses a different internal name (nano-banana-pro) and expects a script at ~/.codex/skills/nano-banana-pro/scripts/generate_image.py. The repository contains many unrelated projects/files (615 files) and many scripts under different paths (e.g., scripts/generate_image.py, clawhub skills/scripts/generate_image.py). A simple image-generation helper would not legitimately include large unrelated workspace files, agent configs, or plaintext secrets found here. The mismatch of names (Qwen vs Nano Banana Pro/Gemini) is also inconsistent.
Instruction Scope
The runtime instructions tell the agent/user to execute a local Python script via 'uv run' at a hard-coded absolute path. That will execute arbitrary code from disk; because the bundle contains many scripts, it's unclear which file will be run in a given installation. The SKILL.md requires/reads an API key either from --api-key or GEMINI_API_KEY—which is reasonable for a generator—but the package also contains many other configuration files and credentials unrelated to image generation. The SKILL.md does not explicitly instruct reading other workspace files, but the presence of many scripts and the absolute path instruction increases the risk the script will access other local files (including the plaintext secrets present).
Install Mechanism
There is no formal install spec (instruction-only), which normally lowers risk; however the published bundle includes 93 code files and 615 total files from an entire workspace. Packaging a whole workspace without a clear install step or trusted release source is disproportionate to the claimed purpose. It increases the chance that opportunistic or unrelated files (or accidental secret dumps) are present and will be used by the runtime script.
Credentials
SKILL.md declares only GEMINI_API_KEY (via env or CLI) which is appropriate. But the package contains multiple configuration files (e.g., 2026-3-10afu的js备份.txt, openclaw configs) with numerous plaintext API keys, app secrets, tokens and other credentials unrelated to Gemini image generation. Those embedded credentials are not justified by the skill description and present a sensitive data exposure risk if the skill or its scripts read or transmit workspace files.
Persistence & Privilege
always:false and no declared persistence. The skill instructs running a script from an absolute path under ~/.codex which implies expectation of a skill-installed location in the user's home. That pattern is not inherently privileged, but because the bundle contains extensive workspace files and secrets, granting the skill runtime execution permission increases blast radius. Autonomous invocation is enabled by default (normal), but combined with the other red flags the ability to run local scripts autonomously is notable.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install qwen-comic-gen - 安装完成后,直接呼叫该 Skill 的名称或使用
/qwen-comic-gen触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Nano Banana Pro image generation and editing initial release:
- Generate new images or edit existing ones using Gemini 3 Pro Image API.
- Supports text-to-image and image-to-image workflows; choose 1K, 2K, or 4K resolution.
- Handles API key via CLI argument or environment variable.
- Smart filename generation using timestamp and prompt keywords.
- Output images saved to current working directory; clear error handling for common failures.
- Includes workflow tips, prompt suggestions, and resolution mapping.
元数据
常见问题
Qwen Comic Gen 是什么?
Generate/edit images with Nano Banana Pro (Gemini 3 Pro Image). Use for image create/modify requests incl. edits. Supports text-to-image + image-to-image; 1K... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 614 次。
如何安装 Qwen Comic Gen?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install qwen-comic-gen」即可一键安装,无需额外配置。
Qwen Comic Gen 是免费的吗?
是的,Qwen Comic Gen 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Qwen Comic Gen 支持哪些平台?
Qwen Comic Gen 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Qwen Comic Gen?
由 icesumer-lgtm(@icesumer-lgtm)开发并维护,当前版本 v1.0.0。
推荐 Skills