Ai Image Gen Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s image-generation purpose is clear, but it tells the agent to run an undeclared script from a different skill while also requiring an undeclared Gemini API key.
Review before installing. The image-generation purpose is reasonable, but the package does not include its own generation code and instead runs a script from another skill directory. Verify that script’s source and behavior before providing a Gemini API key or private reference images.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run code that was not part of this reviewed skill, so the actual behavior, data handling, and credential use cannot be verified here.
The skill package contains only SKILL.md, but its core workflow depends on running a script from another skill path that is not included or pinned by the provided artifacts.
uv run /usr/lib/node_modules/openclaw/skills/nano-banana-pro/scripts/generate_image.py
Only use this after verifying the referenced nano-banana-pro script is installed from a trusted source, or ask the publisher to include/pin the script and declare the dependency.
Your Gemini API key may be used by the referenced generation script, which can incur provider usage and gives that script access to the credential at runtime.
The skill requires a Gemini API key even though the registry metadata declares no required environment variables or primary credential.
需要 `GEMINI_API_KEY` 环境变量
Set the API key only for trusted code, use a restricted key if possible, and ensure the registry metadata accurately declares the credential requirement.
Prompts and any reference images you choose may be processed by Gemini, so private or sensitive images should be handled carefully.
The skill is explicitly a Gemini integration and supports image-to-image generation, implying prompts and selected reference images are sent to the Gemini provider.
使用Gemini生成高质量图片,支持文生图和图生图
Avoid using sensitive reference images unless you are comfortable sending them to the provider, and review Gemini’s data handling settings for your account.