Chen Nano Banana Pro
ReviewAudited by ClawScan on May 10, 2026.
Overview
The image tool’s code is straightforward, but its launch paths and embedded metadata do not match the listed package, so it could fail or run a different local script while using your Google API key.
Before installing, verify that the skill actually runs the included scripts/generate_image.py from its installed directory, not the hard-coded /Users/apple or ~/.codex nano-banana-pro paths. If you proceed, use a limited Gemini API key, monitor quota/billing, and avoid sending confidential images or prompts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may fail on another machine or, worse, run a different local script at that path if one exists, potentially handling the user's API key, prompt, or images outside the reviewed package.
The command uses a hard-coded absolute path for a different skill slug than the supplied registry entry and does not reference the packaged script by a portable relative path.
command: uv run /Users/apple/.openclaw/workspace/skills/nano-banana-pro/scripts/generate_image.py
Install only after verifying the command points to this skill's packaged scripts/generate_image.py, and prefer a corrected package with matching registry metadata, _meta.json, and portable paths.
When run, uv may install newer matching dependency versions, so behavior can change over time based on package updates.
The uv script declares runtime dependencies with lower-bound version ranges rather than pinned versions or a lockfile.
dependencies = [ # "google-genai>=1.0.0", # "pillow>=10.0.0", # ]
Prefer pinned dependency versions or a lockfile, especially before using the skill in sensitive or production workflows.
The tool can act against the user's Google/Gemini API account and may incur quota or billing usage.
The skill requires a Google Gemini API key even though the registry metadata declares no primary credential or required env vars.
The script checks for API key in this order: 1. `--api-key` argument (use if user provided key in chat) 2. `GEMINI_API_KEY` environment variable
Use a limited Gemini API key via environment variable or a secrets mechanism where possible, and avoid pasting long-lived keys into chat.
Any prompt text and selected input image are shared with Google for processing.
For edits, the script sends the selected local image together with the prompt to Google's Gemini image API.
contents = [input_image, args.prompt] ... response = client.models.generate_content(
Do not use private, regulated, or confidential images or prompts unless you are comfortable with Google's API handling and retention terms.