Nano Banana Pro OpenRouter
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent OpenRouter image-generation skill, but it uses a local shell script and OpenRouter API key/.env handling that users should understand before use.
This skill appears safe to use for OpenRouter image generation if you are comfortable with a shell script sending your prompt to OpenRouter and using an API key. Use a dedicated API key, verify OPENROUTER_BASE_URL, and expect generated files to be saved under the OpenClaw outputs directory.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your OpenRouter API key can be read and used for billed image-generation requests.
The skill uses an OpenRouter API key, including from a local .env file, even though registry metadata does not declare a primary credential. This is expected for OpenRouter image generation, but the key is sensitive and may be exposed to the agent/tool invocation path.
The script checks for the API key in this order: 1. --api-key argument ... 2. OPENROUTER_API_KEY environment variable ... Use the `read` tool to read `.env` ... Always pass the key via `--api-key`
Use a dedicated OpenRouter key with appropriate limits, keep the .env file limited to this skill's variables, and avoid pasting long-lived keys into chat when possible.
Image prompts, and the API authorization header, go to whatever endpoint is configured as the base URL.
The user's prompt and bearer token are sent to the configured base URL. This is the intended provider API flow, but the script relies on OPENROUTER_BASE_URL rather than hard-validating the official OpenRouter endpoint.
curl -sS -o "$response_file" ... -H "Authorization: Bearer $api_key" ... -d "$payload" "$base_url"
Set OPENROUTER_BASE_URL only to the official OpenRouter chat completions endpoint unless you intentionally use a trusted compatible gateway.
The install/registry view may not warn you that command-line tools and an API key/base URL are needed.
The registry metadata under-declares setup needs that are documented in SKILL.md and implemented in the script, including curl/base64 and OpenRouter credential/base URL configuration. This is a transparency issue, not evidence of hidden installation behavior.
Required binaries (all must exist): none ... Env var declarations: none ... Primary credential: none
Review SKILL.md before use and ensure curl, base64, OPENROUTER_API_KEY, and OPENROUTER_BASE_URL are configured intentionally.