ClawHub

Nano Banana Pro OpenRouter

v1.0.1

Generate images with Nano Banana Pro via OpenRouter. Use when the user asks for image generation, mentions Nano Banana Pro, Gemini 3 Pro Image, or OpenRouter image generation.

1· 2.2k·9 current·9 all-time
byShan Shutong@duffycoder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description, runtime script, and instructions all match: the skill calls an OpenRouter-compatible chat/completions endpoint to request Gemini-3-Pro-image generation and saves resulting images. However, the skill metadata declares no required environment variables or primary credential even though the runtime requires OPENROUTER_API_KEY and OPENROUTER_BASE_URL — this mismatch should be fixed.
!
Instruction Scope
SKILL.md instructs the agent to read .env files (using the read tool) and tells the agent not to ask the user for a key if a .env exists. The included script itself loads both "$PWD/.env" and the skill's .env. Directing the agent to read files that may contain secrets and relying on PWD/.env expands scope beyond the skill folder and can expose unrelated credentials.
Install Mechanism
No install spec; this is an instruction-only skill with a shell script. Nothing is downloaded or written by an installer, which is low risk.
!
Credentials
The runtime clearly needs OPENROUTER_API_KEY and OPENROUTER_BASE_URL, but the registry metadata lists no required env vars/primary credential. Worse, the load_env_file function exports every valid key from loaded .env files (including PWD/.env), which can cause unrelated secrets to be read/used. Requesting the OpenRouter key is reasonable, but reading arbitrary .env files is disproportionate.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-wide changes. It does not modify other skills or agent configuration. Autonomous invocation is allowed (platform default) but is not combined with other high-privilege requests here.
What to consider before installing
This skill appears to be a legitimate OpenRouter image generator, but exercise caution before installing or running it. Key points: - The script requires an API key and a base URL (OPENROUTER_API_KEY and OPENROUTER_BASE_URL) but the skill metadata does not declare these — treat that as a red flag and verify where you'll store/provide the key. - The script will load and export variables from both the current working directory's .env (PWD/.env) and the skill's .env. That means if you run it from a project directory with a .env containing other service credentials, those values could be exported into the script environment. Avoid running this from directories with unrelated secrets. - The SKILL.md also instructs the agent to read the skill .env file (using the read tool) and pass the key. Reading files to obtain secrets is necessary for operation but increases risk — inspect the .env contents yourself before allowing the agent to read it. - Recommended precautions: (1) Put your OpenRouter API key in a dedicated, minimal .env inside the skill directory (or pass --api-key explicitly), (2) do not run the script from a project folder that contains other sensitive .env files, (3) review the script and test in a restricted/sandboxed environment first, and (4) ask the skill author to update registry metadata to declare required env vars and to avoid loading PWD/.env unnecessarily.

Like a lobster shell, security has layers — review code before you run it.

latestvk971denmjerfsk00qs4pw6m4bx80eg3w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments