ORF
ReviewAudited by ClawScan on May 10, 2026.
Overview
The ORF digest is mostly purpose-aligned, but it under-declares that it can install unpinned packages and use a local Gemini/Nano Banana API key.
Review before installing. If you use it, expect it to run local Python/Node scripts, create files under ./tmp, install Python packages from PyPI on first image generation, read a Gemini/Nano Banana API key from your environment or OpenClaw config, and send the image prompt to Google/Gemini. Prefer a version with declared credentials and pinned dependencies.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Invoking the skill may use the user's Gemini/Nano Banana account or quota to generate the final image.
The helper reads a local OpenClaw configuration file for a Nano Banana/Gemini API key. The registry metadata declares no primary credential, required environment variable, or required config path, so this credential use is under-disclosed.
cfg_path = Path.home() / ".openclaw" / "openclaw.json" ... get("nano-banana-pro", {}) ... get("apiKey")Declare the credential and config path explicitly, ask the user to configure/approve the API key intentionally, and avoid silently reusing another skill's stored key.
Running the skill can download and execute dependency code that was not pinned or declared at install time.
On first use, the script creates a virtual environment and installs unpinned packages from the Python package ecosystem, despite the skill having no install spec.
python3 -m venv "$VENV_DIR" "$PY" -m pip install --quiet --disable-pip-version-check google-genai pillow
Move dependency setup into a declared install step, pin package versions or hashes, and make the first-run installation visible to the user.
The prompt derived from selected ORF stories is sent to the image-generation provider; this appears to be public news content, not private local data.
The generated image prompt is sent to an external Gemini image model. This is aligned with the stated Nano Banana image feature, but the provider data flow is not declared in metadata.
client.models.generate_content(
model="gemini-3-pro-image-preview",
contents=args.prompt,Disclose the external provider call and avoid including private user content in the image prompt unless the user explicitly agrees.