Nano Banana 2 — AI Image Generation (Gemini 3.1 Flash Image, Google, Evolink)
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Evolink image-generation skill, but users should notice that prompts/images leave the device, an API key is required, and the optional MCP setup runs an unpinned npm package.
Install only if you are comfortable sending prompts and images to Evolink, using an Evolink API key, and optionally running the Evolink MCP package from npm. For safer setup, pin the MCP package version and avoid uploading sensitive images.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the API key could use the user's Evolink account or credits within the key's permissions.
The skill uses a delegated Evolink credential for API access; this is expected for the service and is disclosed, but it is still account authority the user should protect.
**`EVOLINK_API_KEY`** authenticates all requests. Injected by OpenClaw automatically. Treat as confidential.
Use a dedicated Evolink API key if possible, keep it secret, and revoke or rotate it if you stop using the skill.
Sensitive images uploaded for editing or reference could be exposed to Evolink and to anyone who obtains the temporary URL.
Image upload/reference workflows create external hosted file URLs; this is purpose-aligned, but uploaded images may be accessible by link until expiry.
Use `file_url` from the response as a publicly accessible link. Files expire after **72 hours**.
Avoid uploading private or regulated images unless you are comfortable with Evolink processing and temporarily hosting them.
If the npm package or latest release changes unexpectedly, the local MCP server behavior could change when installed or launched.
The optional MCP setup runs an external npm package using the moving @latest version; this is user-directed and central to the integration, but it is not pinned in the artifacts.
`mcporter call --stdio "npx -y @evolinkai/evolink-media@latest" list_models`
Prefer pinning a reviewed package version and verify the GitHub/npm package before connecting it with your API key.
Unintended use could spend Evolink credits, upload files, or delete files from the user's Evolink file quota.
The documented tools can create image-generation tasks and delete hosted files; these actions fit the skill's purpose, but they should remain user-directed.
`generate_image` | Create or edit an image ... `delete_file` | Free file quota
Confirm generation, upload, and deletion actions before proceeding, especially for paid accounts or important uploaded assets.