ClawHub

Gemini Nano Banana

PassAudited by ClawScan on May 1, 2026.

Overview

The artifacts describe a coherent OneKey/Gemini image-generation gateway skill, with expected notes around third-party packages, an API key, and external processing.

This skill appears benign and purpose-aligned. Before installing, make sure you trust the OneKey Gateway and the npm/PyPI packages, use a revocable API key, monitor usage or billing, and avoid sending private prompts or images unless you are comfortable with external processing.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI03: Identity and Privilege Abuse
What this means

Using the skill may consume quota or incur charges on the OneKey/Gemini account tied to the key.

Why it was flagged

The skill needs a OneKey Gateway API key to call the provider, which is purpose-aligned but gives the skill delegated access to a commercial API gateway.

Skill content
DEEPNLP_ONEKEY_ROUTER_ACCESS:
    required: true
    description: OneKey Gateway API key
Recommendation

Use a revocable, least-privileged key where possible and monitor account usage.

Low
#ASI07: Insecure Inter-Agent Communication
What this means

Prompts or image URLs supplied to the tool may be processed by an external gateway/provider.

Why it was flagged

The wrapper forwards the user-provided payload to the OneKey/Gemini gateway. This is expected for the skill, but prompts, image references, and other payload fields leave the local environment.

Skill content
result = router.invoke(
        unique_id="gemini/gemini",
        api_id="generate_image_gemini",
        data=payload,
    )
Recommendation

Avoid submitting sensitive prompts, private image URLs, or confidential data unless the provider’s terms and data handling are acceptable.

Low
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing the skill may install third-party code that is outside the provided artifact contents.

Why it was flagged

The skill relies on external npm and PyPI packages without version pins. This is a normal integration dependency pattern, but users must trust those package sources.

Skill content
dependencies:
  npm:
    - "@aiagenta2z/onekey-gateway"
  python:
    - "ai-agent-marketplace"
installation:
  npm: npm -g install @aiagenta2z/onekey-gateway
  python: pip install ai-agent-marketplace
Recommendation

Install from trusted package registries, consider pinning versions, and review package provenance before use.

Info
#ASI02: Tool Misuse and Exploitation
What this means

If the user invokes those examples, external image URLs may be analyzed rather than only generating new images.

Why it was flagged

The usage section includes additional gateway examples beyond the two provided Python scripts, such as OCR and image item listing. They are disclosed and user-invoked, but broaden what a user may expect from an image-generation skill.

Skill content
### ocr_extract_text_from_image
```shell
npx onekey agent gemini-nano-banana/gemini-nano-banana ocr_extract_text_from_image '{"images": ["https://avatars.githubusercontent.com/u/242328252"], "model": "gemini-3-flash-preview"}'
Recommendation

Confirm the exact tool/action before invoking gateway commands, especially for image analysis or OCR on private images.