📦 Clawhub Publish 146230 — AI生图

v2.0.0

使用内部 Google Antigravity API（Gemini 3 Pro Image）直接生成高质量图像，无需浏览器自动化，调用原生接口，速度更快，效果更稳定。

0· 271·0 当前·0 累计

by @gxw975

AI模型访问 API工具

下载技能包

最后更新

2026/4/22

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

medium confidence

NULL

评估建议

Proceed cautiously. The SKILL.md says it will read your local Google OAuth profile and call an internal/sandbox Google endpoint, but the skill package contains no script code (the generate.js it references is missing) and the source is unknown. Before installing or using it: 1) ask the publisher for the actual script/source and review it so you can confirm it only uses your tokens to call the expected Google API; 2) verify which auth.profiles file it will read and avoid using high‑privilege or p...

详细分析 ▾

ℹ 用途与能力

Name/description (Antigravity/Gemini image generation) aligns with required binary (node) and declared config path (auth.profiles). However the skill claims to call an internal Google sandbox endpoint (daily-cloudcode-pa.sandbox) — acceptable for an internal tool but unusual for a third‑party skill with unknown source and no homepage.

⚠ 指令范围

SKILL.md instructs running /home/ubuntu/clawd/skills/antigravity-image-gen/scripts/generate.js and explicitly states it will read local OAuth tokens from auth-profiles.json. But this skill bundle contains no code files (only SKILL.md and _meta.json) — the referenced script is missing. Instructions also encourage using sensitive local OAuth credentials to access an internal endpoint, which increases risk if the actual script behaves differently.

✓ 安装机制

No install spec (instruction-only), so nothing is written to disk by the skill installer itself. This is low-risk from an install mechanism perspective.

ℹ 凭证需求

The only declared config requirement is auth.profiles, which matches the instructions' stated need to read OAuth tokens. Reading OAuth credentials is sensitive but can be proportionate for an image-generation client that authenticates to an API. Still, the skill requests access to local OAuth tokens but provides no code to review, so the sensitivity is elevated.

✓ 持久化与权限

The skill does not set always:true and does not request persistent system-wide privileges. Autonomous invocation is enabled by default, which is normal but should be considered along with the other concerns.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv2.0.02026/3/13

NULL

● 可疑

安装命令

点击复制

官方npx clawhub@latest install clawhub-publish-146230

镜像加速npx clawhub@latest install clawhub-publish-146230 --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库