Skillv1.0.0

ClawScan security

WaveSpeedAI Nano Banana Pro Image Generation/Editing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 2, 2026, 3:04 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions match its stated image-generation purpose, but its metadata omits the API key it clearly requires and the README asks the agent to upload local files — these mismatches warrant caution before installing.
Guidance: This skill appears to be a straightforward WaveSpeed client wrapper for an image model, but the SKILL.md and the registry disagree: the documentation requires a WAVESPEED_API_KEY and describes uploading local files, yet the skill metadata declares no environment variables or primary credential and there is no source/homepage listed. Before installing: (1) confirm the WAVESPEED_API_KEY requirement — expect to supply that key if you use the skill; (2) verify the skill's provenance (author, homepage, or source repo) — avoid keys if you don't trust the publisher; (3) if you will upload local images, be aware the agent will need access to those file paths and the images will be transmitted to wavespeed.ai; (4) prefer skills whose metadata explicitly declares required credentials and includes a verifiable homepage or source; (5) consider testing in an isolated environment or with non-sensitive sample images and a scoped API key. If the publisher updates the metadata to declare WAVESPEED_API_KEY and provides a reputable source/homepage, the inconsistency would be resolved and my assessment could change to benign.

Review Dimensions

Purpose & Capability: okName/description (WaveSpeed AI Nano Banana Pro image generation and editing) align with the SKILL.md examples that call wavespeed.run and wavespeed.upload for text-to-image and editing tasks. The APIs and parameters shown are coherent with the stated purpose.
Instruction Scope: noteSKILL.md instructs using wavespeed.upload to send local files (e.g., '/path/to/photo.png') and shows code that expects the agent environment to supply image file paths and an API key. Uploading local files is expected for image-editing, but the instructions do not clarify consent/permissions, and they reference an environment variable (WAVESPEED_API_KEY) that is not declared in the skill metadata.
Install Mechanism: okNo install spec and no code files (instruction-only). This minimizes disk-write/install risk; the skill will only provide runtime instructions and example code. No external downloads or package installs are requested.
Credentials: concernRegistry metadata lists no required env vars or primary credential, but SKILL.md explicitly shows an authentication step using WAVESPEED_API_KEY and points to wavespeed.ai/accesskey. The missing declaration is a discrepancy — the skill will need a service API key at runtime, and this credential is not represented in the skill metadata.
Persistence & Privilege: okalways is false and the skill is user-invocable with normal autonomous invocation allowed. Nothing requests elevated or permanent presence beyond normal skill behavior.