ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nanobanana Skill

v0.1.0

Generate or edit images using Google Gemini API via nanobanana. Triggers: "nanobanana", "generate image", "create image", "edit image", "AI drawing", "图片生成",...

1· 919·5 current·5 all-time
byPengfei Ni@feiskyer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's code and SKILL.md both implement image generation/editing against Google Gemini, which matches the name/description. However the registry metadata lists no required environment variables while SKILL.md and the script require GEMINI_API_KEY (loaded from ~/.nanobanana.env or env). That metadata omission is an incoherence.
Instruction Scope
Runtime instructions are focused: collect a prompt/inputs, run the included nanobanana.py, and return the saved image path. The script only reads GEMINI_API_KEY (from env/dotenv) and local input files, and writes the output image; it does not reference unrelated system credentials or external endpoints beyond the Google GenAI client.
Install Mechanism
There is no install spec (instruction-only skill) and requirements.txt is standard. The SKILL.md suggests using pip to install listed packages; nothing is downloaded from untrusted URLs and there is no archive extraction.
!
Credentials
Only GEMINI_API_KEY is needed and that is appropriate for a Gemini client. The concern is that the registry metadata does not declare this required credential, so users may not be warned. The script reads dotenv from ~/.nanobanana.env which could contain secrets — expected for this purpose but should be clearly documented in the skill metadata.
Persistence & Privilege
The skill is not always-enabled, does not request system-wide config changes, and only writes output image files. It does not modify other skills or agent settings.
Scan Findings in Context
[no_pre-scan_findings] expected: Static scan reported no findings. The code's network use is limited to the google-genai client (requires GEMINI_API_KEY) and included libraries (httpx), which is expected for this functionality.
What to consider before installing
This skill appears to implement an image-generation wrapper for Google Gemini, but the registry metadata failed to declare the required GEMINI_API_KEY. Before installing: (1) confirm the GEMINI_API_KEY requirement is added to the skill metadata or that you understand you must set it in ~/.nanobanana.env or your environment; (2) only use a dedicated API key with restricted quota/permissions; (3) review the included nanobanana.py yourself — it will read local input image files and write output images and uses the google-genai client; (4) install dependencies in a controlled environment (virtualenv) rather than system-wide; and (5) be cautious because the skill author/source is unknown and there is no homepage — prefer skills from known publishers or require the author to fix the metadata mismatch before trusting automatic invocation.

Like a lobster shell, security has layers — review code before you run it.

latestvk9771jmvejwt6cp2ta6ztvpbjn8206yk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments