Nano Banana Pro via cheaper grsai.com
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The API key may authorize account usage and consume provider quota or credits; passing it in chat or command text can expose it to logs or transcripts.
The skill requires a provider credential for the advertised API use. This is expected, but users should notice that the registry metadata did not declare a primary credential or env var.
The script checks for API key in this order: 1. `--api-key` argument (use if user provided key in chat) 2. `GRSAI_API_KEY` environment variable
Prefer a scoped or rotatable key in `GRSAI_API_KEY` rather than pasting long-lived keys in chat, and rotate the key if it is exposed.
Private prompts or images provided for editing will leave the local machine and be processed by the external API provider.
For image editing, the selected local image is base64-encoded and sent with the prompt to the external grsaiapi.com endpoint.
GRSAI_API_URL = "https://grsaiapi.com/v1/draw/nano-banana" ... b64 = base64.b64encode(img_data).decode("utf-8") ... payload["urls"] = urlsOnly use this skill with prompts and images you are comfortable sending to grsaiapi.com, and verify the provider’s trust and privacy terms before using sensitive content.
A mistaken or overly broad output filename could create directories or overwrite an existing local file with image data.
The script creates directories and writes the downloaded image to the requested filename. This is expected for an image generator, but the path is not constrained by the script.
output_path.parent.mkdir(parents=True, exist_ok=True) ... output_path.write_bytes(resp.read())
Use unique `.png` filenames in the current working directory and avoid pointing output filenames at important or protected files.
The skill will not run unless `uv` is available, and users need to ensure that runtime is installed from a trusted source.
The skill requires the `uv` runtime to execute its script even though the registry metadata lists no required binaries or install spec.
Preflight: - `command -v uv` (must exist)
Install `uv` only from a trusted source, and the skill metadata should declare this runtime requirement.