📦 Baoyu Danger Gemini Web — 逆向Gemini图文生成
v0.1.1通过逆向工程调用 Gemini Web API,实现文本生成、文生图及参考图视觉输入,一键完成多模态创作。
0· 129·0 当前·0 累计
by 下载技能包
最后更新
2026/3/20
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill implements a reverse‑engineered Gemini Web client that needs real Google session cookies to work. It will attempt to load cookies from your browser (via a bundled Chrome CDP helper), may launch or attach to Chrome, and will write cookie and consent files to your user data directories. Before installing: (1) Be sure you accept the SKILL.md consent flow; (2) prefer using a dedicated or disposable Chrome profile rather than your main browser profile if you proceed; (3) inspect the bundle...详细分析 ▾
ℹ 用途与能力
Name/description claim a reverse‑engineered Gemini Web client for text/image generation; included scripts implement that and call only Google/Gemini endpoints. Requiring browser session cookies and a Chrome debugging/CDP helper is coherent with the stated purpose (the client needs valid __Secure-1PSID / __Secure-1PSIDTS to authenticate).
⚠ 指令范围
SKILL.md and the shipped code instruct the agent to read/write consent and cookie files in user data directories, optionally load cookies from the local Chrome profile (using a bundled Chrome CDP module), launch or connect to Chrome debug ports, and write cached cookie files. These actions access sensitive local browser state (authentication cookies) and user config files beyond a simple API key — the SKILL.md does include an explicit consent flow, but the runtime instructions will read local browser cookies and may launch/manipulate Chrome sessions.
✓ 安装机制
This is an instruction‑only skill (no external downloads at install time). Code is bundled in the skill (TypeScript + a vendored baoyu‑chrome‑cdp). It requires running the local scripts (bun or npx) but does not fetch arbitrary remote code during installation. No suspicious remote install URLs were found.
⚠ 凭证需求
Registry metadata declares no required env vars, but the code reads several environment variables (e.g., GEMINI_WEB_LOGIN, GEMINI_WEB_FORCE_LOGIN, GEMINI_WEB_CHROME_PROFILE_DIR, GEMINI_WEB_CHROME_PATH, BAOYU_CHROME_PROFILE_DIR and others) and will access local browser cookies and profile directories. Accessing browser cookies is equivalent to accessing authentication credentials — appropriate for this reverse‑engineered approach, but high‑sensitivity and not reflected in the required‑env metadata.
ℹ 持久化与权限
Skill does not request always:true and does not modify other skills. It will create/read/write cookie and consent files under user data dirs (e.g., ~/.local/share or %APPDATA%). It may launch or connect to Chrome via CDP, which is a privileged local action; this is powerful but consistent with its authentication strategy.
⚠ scripts/gemini-webapi/utils/paths.ts:38
Shell command execution detected (child_process).
⚠ scripts/vendor/baoyu-chrome-cdp/src/index.test.ts:89
Shell command execution detected (child_process).
⚠ scripts/vendor/baoyu-chrome-cdp/src/index.ts:220
Shell command execution detected (child_process).
⚠ scripts/vendor/baoyu-chrome-cdp/src/index.ts:97
Environment variable access combined with network send.
⚠ scripts/gemini-webapi/utils/upload-file.ts:3
File read combined with network send (possible exfiltration).
⚠ scripts/vendor/baoyu-chrome-cdp/src/index.ts:202
File read combined with network send (possible exfiltration).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.12026/3/20
NULL
● Pending
安装命令
点击复制官方npx clawhub@latest install baoyu-danger-gemini-web-2
镜像加速npx clawhub@latest install baoyu-danger-gemini-web-2 --registry https://cn.longxiaskill.com