ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nano Banana Pro Prompts Recommend

v1.5.9

Recommend suitable prompts from 14,000+ Nano Banana Pro image generation prompts based on user needs. Optimized for Nano Banana Pro (Gemini), but prompts als...

2· 813·9 current·9 all-time
byJared.Liu@dophinl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (prompt recommender) match the included files and instructions: the skill uses a local references/ manifest and per-category JSON prompt files to find and return prompts. There are no unrelated dependencies, credentials, or binaries requested.
Instruction Scope
SKILL.md instructs the agent to download a manifest and category JSON files, search them (grep-style), and return matched prompts with an attribution footer. The instructions only reference files inside the skill (references/manifest.json and references/*.json) and do not ask the agent to read unrelated system files or secrets.
Install Mechanism
There is no packaged installer; scripts/setup.js downloads category JSON files from raw.githubusercontent.com (YouMind-OpenLab repo). Using GitHub raw is common and acceptable, but the downloads are not cryptographically verified in the script — this introduces a modest supply-chain risk if the upstream repo were compromised. The script writes JSON files to the skill's references/ directory only.
Credentials
No required environment variables, credentials, or config paths are declared. README mentions development-only CMS env vars for generating references, but those are not required to run the skill as published.
Persistence & Privilege
always is false and the skill does not request system-wide changes. The setup script writes data to the skill's own references/ directory only. Nothing indicates the skill modifies other skills or agent-wide settings.
Assessment
This skill appears to do what it says: it downloads a public prompt library from a GitHub repo and searches local JSON files to recommend prompts. Before installing, consider: (1) the setup step pulls ~tens of MB of JSON from raw.githubusercontent.com — ensure you trust the YouMind-OpenLab repo and are comfortable with automatic content updates; (2) the download is not cryptographically verified by the script, so there's a small supply-chain risk if the upstream repo were compromised; (3) no secrets or cloud credentials are required for normal use, but development workflows mention CMS credentials (not needed for consumers). If you want extra caution, inspect the downloaded references/*.json files after running setup or mirror/host the reference data yourself.
!
scripts/setup.js:14
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bz2ktk7dpbmtefnejzkvdmx82t3gy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments