Nano Banana Pro

Type: OpenClaw Skill Name: bex-nano-banana-pro Version: 1.0.0 The `generate.py` script is vulnerable to path traversal via the `--output` argument. The `urllib.request.urlretrieve` function writes the downloaded image to the path specified by `args.output` without any sanitization or validation. This allows a malicious user or a compromised agent to specify a path like `../../evil.sh`, potentially writing files to arbitrary locations outside the skill's intended workspace. This is a significant vulnerability (lack of input sanitization) that could lead to arbitrary file writes, classifying the skill as suspicious rather than benign.