ClawHub

IMA Nano Banana Image Generator

v1.0.9

Nano Banana-only image generation on IMA Open API. Supports text_to_image and image_to_image with gemini-3.1-flash-image (budget) and gemini-3-pro-image (pre...

0· 433·3 current·3 all-time
by@allenfancy-gan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (IMA Nano Banana image generation) match the artifacts: SKILL.md, scripts/ima_image_create.py implement text_to_image and image_to_image against api.imastudio.com and imapi.liveme.com and enforce a model allowlist. One minor metadata inconsistency exists: the top-level manifest summary you provided states 'Primary credential: none' while SKILL.md and clawhub.json declare IMA_API_KEY as required/primary; this is likely a packaging/metadata mismatch but does not change runtime behavior.
Instruction Scope
SKILL.md explicitly limits operations to the bundled script and to image tasks; the script follows that flow (product list, create task, poll, optional local-file upload). The script reads local image files only when performing image_to_image (expected). It sends the IMA_API_KEY to the two documented IMA domains for task creation and upload-token requests (documented in SECURITY.md). There are no instructions to read unrelated system files or collect other credentials.
Install Mechanism
No network download/install hook or arbitrary remote code execution; this is an instruction+script package with requirements.txt (requests). No high-risk install URLs or extract steps are present.
Credentials
Only one required environment variable (IMA_API_KEY) is requested which matches the service integration. The script will send that API key to api.imastudio.com for generation and to imapi.liveme.com when uploading local files (this dual-domain use is documented in SECURITY.md). The package contains hard-coded APP_ID/APP_KEY used to sign upload-token calls and the code claims these are non-secret; that is plausible but should be understood by the user.
Persistence & Privilege
The skill does write to its own pref and log paths (~/.openclaw/memory/ima_prefs.json and ~/.openclaw/logs/ima_skills/) as declared in SKILL.md/clawhub.json and cleans logs after seven days. always:false and no cross-skill or system-wide config modifications are present.
Assessment
This package appears coherent for an IMA image-generation client, but review these before installing: 1) Use a scoped/test IMA_API_KEY instead of a full-production key until you verify behavior; the key will be sent to both api.imastudio.com and imapi.liveme.com for local-file uploads. 2) Confirm you are comfortable with the skill writing logs and a preferences file under ~/.openclaw (logs may contain URLs and metadata; authors state the API key is not written to disk). 3) Note the hard-coded APP_ID/APP_KEY in the script (authors claim non-secret shared values); verify that upload-token flow meets your security/privacy needs. 4) The registry metadata you were shown has a minor inconsistency about the 'primary credential'—trust the SKILL.md/packaged clawhub.json for runtime requirements. If you need greater assurance, inspect the full ima_image_create.py functions that perform network calls or run the script in an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk9709ps05nmd3mftcv863s63zd83qq31

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvIMA_API_KEY

Comments