ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Location Aware Backgrounds

v1.0.2

Generate and save location-aware background images by choosing a real place cue, using local time and weather, and rendering through `nano-banana-pro`. Use w...

0· 66·0 current·0 all-time
byChad Newbry@chadnewbry
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to render images through 'nano-banana-pro' and to use only user-supplied files or explicit lookups. However, the registry metadata requires a GEMINI_API_KEY and the 'uv' binary even though SKILL.md never references using Gemini or the 'uv' binary. It's unclear why a Gemini API key (typically associated with a different provider) or a 'uv' binary are necessary for a renderer named 'nano-banana-pro'. This mismatch suggests the declared requirements are not justified by the stated purpose.
Instruction Scope
The SKILL.md stays focused on generating finished images, saving files, and limits file/system reads to user-supplied inputs (good). However, it instructs the agent to 'invoke $nano-banana-pro' without specifying how (CLI, API endpoint, or what credentials to pass). The lack of concrete integration details combined with the unexplained declared env var/binary leaves ambiguity about what the agent will actually do at runtime.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so there is no author-provided installer or archive to evaluate. That minimizes disk-write installation risk.
!
Credentials
The skill requires a single primary credential GEMINI_API_KEY but the SKILL.md does not mention Gemini or explain why that credential is needed. There is no justification for requesting that key from the instructions. Requiring a named API key without showing how it is used is disproportionate and should be explained before granting the secret.
Persistence & Privilege
always is false and the skill does not request persistent installation or changes to other skills or system-wide config. Autonomous invocation is allowed by default (not flagged by itself) and there are no metadata signs of elevated persistence.
What to consider before installing
This skill's behavior is ambiguous: before installing or supplying secrets, ask the skill author to explain (1) why GEMINI_API_KEY is required and exactly how/where that key will be used (which hostname/endpoints receive data), (2) what the 'uv' binary is expected to do and why it's necessary, and (3) how 'nano-banana-pro' is invoked (CLI vs API) and what credentials it needs. Do not provide a general-purpose GEMINI/Google API key until the author confirms minimal, scoped permissions and a clear network endpoint. If you must try it, use a scoped test key and run in a sandboxed environment; review the homepage and vendor docs for nano-banana-pro to confirm the integration path and trustworthiness. If the author cannot justify the GEMINI_API_KEY or 'uv' requirement, treat the skill as unsafe to use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dpzqxkjyzwt3f1bg7q0pgt983mzzz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsuv
EnvGEMINI_API_KEY
Primary envGEMINI_API_KEY

Comments