← 返回 Skills 市场
424
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install skill-x-post-ai-image
功能描述
Generate an AI image via Gemini and post it to X (Twitter) using OAuth1. Supports text-only or text+image tweets.
安全使用建议
This skill appears to do what it claims (generate a Gemini image and post it to X), but the package metadata is incomplete and brittle. Before installing or running it: (1) Do not paste secrets into your environment unless you trust the source — the script requires X OAuth1 keys and GEMINI_API_KEY but the registry did not declare them. (2) Verify and/or supply the nano-banana-pro generate_image.py it calls — the script defaults to a hard-coded path outside the bundle; inspect that file so you know what code will run. (3) Ensure Python dependencies (Pillow, requests_oauthlib) are installed in a controlled environment. (4) Prefer running this in an isolated/test environment first and confirm xurl and uv are the expected CLIs. If you need to proceed safely, ask the publisher to update the registry: declare required env vars, list Python dependencies, and avoid hard-coded paths or include the image-generation implementation instead of relying on another skill's file.
功能分析
Type: OpenClaw Skill
Name: skill-x-post-ai-image
Version: 1.0.1
The skill is classified as suspicious due to significant potential vulnerabilities, primarily the Remote Code Execution (RCE) risk in `scripts/post_with_image.py`. The script allows the path to the `nano-banana-pro` skill's script to be overridden by the `NANO_BANANA_SCRIPT` environment variable. If an attacker can control this environment variable (e.g., via prompt injection against the OpenClaw agent), they could execute arbitrary code. Additionally, the script relies on external binaries (`uv`, `xurl`) and passes user-controlled input to them, creating a potential vulnerability chain if these downstream components are not robust against command injection.
能力评估
Purpose & Capability
Name/description (Gemini image → post to X) match the included script and SKILL.md. Declared required binaries (uv, xurl) match what the script runs. However the registry metadata lists no required env vars or credentials even though the runtime needs X OAuth keys and a GEMINI_API_KEY, so the manifest is incomplete.
Instruction Scope
SKILL.md and the script require environment variables (GEMINI_API_KEY, X_CONSUMER_KEY, X_CONSUMER_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET) and instruct running a separate nano-banana-pro script; those env vars are not declared in the registry metadata. The script reads X_* creds at module import time (os.environ[...] without defaults), which will raise immediately if absent. The instructions also assume presence of another skill's script at a hard-coded path (/home/linuxbrew/.../nano-banana-pro/scripts/generate_image.py), which is outside this skill's bundle and could be missing or point to unexpected code.
Install Mechanism
There is no install spec (instruction-only), which keeps disk write risk low. But the Python script depends on packages (Pillow, requests_oauthlib) that are neither declared nor installed by the skill; runtime will fail unless the environment already has these. The reliance on an external skill's script path is brittle and raises supply-chain/availability concerns.
Credentials
The skill requires multiple sensitive credentials (X OAuth1 consumer/consumer_secret/access token/secret and GEMINI_API_KEY) to function, which are proportionate to the stated purpose. The problem is these required credentials are not declared in the registry metadata (required env vars: none / primary credential: none), increasing the chance a user will supply secrets in an unexpected way. The script also passes GEMINI_API_KEY into a subprocess environment and base64-encodes image data for upload (expected for Twitter), but lack of explicit declaration and documentation in the registry is a notable mismatch.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It runs as an on-demand command/script with no persistent presence declared.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-x-post-ai-image - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-x-post-ai-image触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- No changes detected in this version.
- Functionality, documentation, and setup remain the same as the previous release.
v1.0.0
Post to X/Twitter with Gemini-generated images. One command: text prompt → AI image → published tweet. Supports text-only mode.
元数据
常见问题
Skill X Post Ai Image 是什么?
Generate an AI image via Gemini and post it to X (Twitter) using OAuth1. Supports text-only or text+image tweets. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 424 次。
如何安装 Skill X Post Ai Image?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-x-post-ai-image」即可一键安装,无需额外配置。
Skill X Post Ai Image 是免费的吗?
是的,Skill X Post Ai Image 完全免费(开源免费),可自由下载、安装和使用。
Skill X Post Ai Image 支持哪些平台?
Skill X Post Ai Image 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill X Post Ai Image?
由 Zero2Ai(@zero2ai-hub)开发并维护,当前版本 v1.0.1。
推荐 Skills