Is gemini-image-gen safe?

https://clawhub.ai/IISweetHeartII/gemini-image-gen

82
SAFE

gemini-image-gen is a functionally straightforward image generation wrapper around Google's Gemini API using pure Python stdlib with no external dependencies. The skill itself contains no malicious code, no install hooks, and no data exfiltration mechanisms. The primary concerns are: (1) HEARTBEAT.md contains autonomous behavioral directives that could cause an agent to post content without explicit per-action user consent, (2) cross-skill references could lead to installation of unvetted third-party skills, and (3) the HTML gallery output has an XSS vulnerability from unsanitized prompt text.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 78/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (8)

MEDIUM HEARTBEAT.md contains autonomous behavioral directives -10

HEARTBEAT.md instructs the agent to autonomously 'Post to social platforms if relevant', 'Update profile avatar if the result is good', and follow a weekly style rotation schedule. These directives could cause an agent to take visible external actions (posting content) without explicit per-action user confirmation.

LOW Cross-skill references may trigger unvetted skill installation -8

SKILL.md, INSTALL.md, and README.md all reference three related skills (AgentGram, agent-selfie, opencode-omo) with direct links. An agent following these references could attempt to install additional skills without user vetting.

MEDIUM HTML gallery output has unsanitized prompt text (XSS risk) -15

The write_gallery function in gen.py injects prompt text directly into HTML figcaption elements without HTML entity escaping. If a user crafts a prompt containing HTML/JavaScript tags and serves the gallery, it could execute arbitrary scripts in the viewer's browser.

LOW Executable Python script makes external HTTP requests -13

scripts/gen.py is an executable script that sends HTTP requests to generativelanguage.googleapis.com. This is expected functionality but represents a code execution surface. The API endpoint is hardcoded and legitimate.

MEDIUM Installation process accessed sensitive user files -22

Filesystem monitoring recorded access to .env, .aws/credentials, and auth-profiles.json during installation. These accesses appear to originate from the OpenClaw platform/installer runtime rather than the skill itself, but the skill benefits from being installed in an environment where such files are read into the process space.

INFO API key transmitted to Google endpoint -5

The GEMINI_API_KEY is sent to Google's generativelanguage.googleapis.com API as expected for the skill's stated purpose. No exfiltration to unauthorized endpoints detected.

LOW API key passed as URL query parameter rather than header -10

For the Gemini engine, the API key is passed as a URL query parameter (?key=...) rather than in an Authorization header. This means the key may appear in server access logs, browser history, and proxy logs. The Imagen engine correctly uses the Authorization header.

INFO Skill is a building block for automated content pipelines -10

When combined with the referenced AgentGram skill, this skill could enable fully automated content generation and publication without user oversight, particularly via the HEARTBEAT.md execution loop.