ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nano Banana Image T8

v0.1.4

调用 Nano Banana API 生成或编辑图片,支持文生图和图生图,需提供API Key和提示词,支持自定义尺寸比例。

0· 356·0 current·0 all-time
byflywhale@flywhale-666

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for flywhale-666/nano-banana-image-t8-alluse.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Nano Banana Image T8" (flywhale-666/nano-banana-image-t8-alluse) from ClawHub.
Skill page: https://clawhub.ai/flywhale-666/nano-banana-image-t8-alluse
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install flywhale-666/nano-banana-image-t8-alluse

ClawHub CLI

Package manager switcher

npx clawhub@latest install nano-banana-image-t8-alluse
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (image gen/edit via Nano Banana API) matches the included script and SKILL.md. The only requested credentials are an API key (via param or NANO_BANANA_API_KEY) which is appropriate for this purpose.
!
Instruction Scope
SKILL.md tightly constrains runtime behavior (must use the bundled script, disallow ad-hoc curl or writing temporary scripts, restrict where keys may be captured/saved, forbid scanning other project files). The included Python script largely implements the expected API calls, but it exposes interactive key prompts and an overridable --base-url and will unconditionally save any key entered interactively. That means the script's behavior can diverge from the SKILL.md rules (e.g., the SKILL.md says only save sk- keys under specific message conditions, but the script will save keys entered during interactive runs).
Install Mechanism
Instruction-only skill with an included test script; there is no installer that downloads arbitrary code. No risky install URLs or archive extraction are present.
Credentials
The only environment variable referenced is NANO_BANANA_API_KEY (and use of standard HOME for saved files). That aligns with the stated need for an API key; no unrelated credentials or broad environment access are requested.
Persistence & Privilege
The skill persistently saves the API key to ~/.whaleclaw/credentials/nano_banana_api_key.txt (script sets file mode 600 on non-Windows). Persistent storage of the API key is expected for convenience but is a lasting local side-effect the user should be aware of. The skill is not force-installed (always: false) and does not request elevated system privileges.
What to consider before installing
This skill appears to do what it claims: call an external image-generation API and save outputs locally. Before installing, consider: 1) Network/data: the script will upload prompts and any input images to the remote host (default https://ai.t8star.cn). Do not upload sensitive images or reuse high-privilege API keys you aren’t comfortable sending to that endpoint. 2) Key persistence: the API key can be saved to ~/.whaleclaw/credentials/nano_banana_api_key.txt (file perms 600 on non-Windows) — remove it if you don’t want long-term stored credentials. 3) Policy mismatch: SKILL.md forbids changing the API base URL and restricts when a key may be captured/saved, but the script includes a --base-url flag and will save any key entered interactively; so the enforcement is partly manual. 4) Non-interactive WebChat usage: the SKILL.md requires non-interactive, param-driven runs (pass --api-key or env var); make sure the agent/system will supply keys only in the intended scenarios. If you need stronger guarantees, ask the author to remove the --base-url override and to implement programmatic checks that enforce the SKILL.md capture/save rules (so keys are only stored under the declared conditions).

Like a lobster shell, security has layers — review code before you run it.

latestvk974v53j18g3pe1emdm16zdvbx82pdnt
356downloads
0stars
2versions
Updated 12h ago
v0.1.4
MIT-0
flywhale@flywhale-666
latest
Download

Nano Banana 生图联调

触发条件

用户要求验证 nano-banana-2(或兼容模型)是否可用,并需要文生图和图生图的真实调用结果。

指令

使用技能自带脚本执行联调(优先):

  • ~/.whaleclaw/workspace/skills/nano-banana-image-t8/scripts/test_nano_banana_2.py
  • 若当前在 WhaleClaw 仓库内,也可用仓库脚本 scripts/test_nano_banana_2.py
  1. WebChat 场景必须使用“对话参数驱动”,禁止依赖脚本后台交互输入(input/getpass)。
  2. 必须只使用本技能脚本执行,不允许临时 file_write 生成 Python 脚本,不允许手写 curl 直连接口。
  3. API 基地址固定为 https://ai.t8star.cn,禁止改为其它域名(如 api.nanobanana.ai)。
  4. API Key 来自用户对话消息,执行时通过 --api-key 或环境变量传入;脚本会落盘到 ~/.whaleclaw/credentials/nano_banana_api_key.txt(权限 600)。
  5. 下次若用户未提供 Key,可直接使用已保存 Key;若用户提供新 Key,覆盖保存。
  6. 模式来自用户对话:文生图 / 图生图 / 都测试
  7. 文生图只取用户提示词(--prompt)。
  8. 图生图取用户提示词 + 用户上传图片路径(--input-image 可重复);按接收顺序编号:第一张=图1,第二张=图2。
  9. 输出文件目录默认 ~/.whaleclaw/workspace/nano_banana_test/(固定用户目录,不依赖当前项目 cwd)。
  10. 用户若写了尺寸/比例(例如“4:3”“16:9”“1024x1024”),直接透传到脚本参数,不再重复追问。
  11. 当用户只说“我要做文生图/图生图”时,只追问缺失的必要参数,不要给与 ComfyUI、本地部署、OpenAI 方案选择题。
  12. 文生图最小必填:提示词(其余如尺寸/模型可用默认值);图生图最小必填:提示词 + 至少1张图片。
  13. 回答风格简短直接,优先执行,不写长篇计划。
  14. 当用户要求“先查有没有 API Key”时,只允许检查以下来源:
  • 环境变量 NANO_BANANA_API_KEY
  • 保存文件 ~/.whaleclaw/credentials/nano_banana_api_key.txt
  1. Key 检查必须优先调用脚本:test_nano_banana_2.py --check-key;禁止扫描其它项目目录或 .env 文件。
  2. 仅在以下任一条件满足时,才允许提取并保存 sk- 开头 Key:
  • 用户显式发送 /use nano-banana-image-t8
  • 同一条消息明确包含 nanobanana/nano-banana 且语义是文生图/图生图
  1. 非本技能场景(如用户在处理其它任务时提到 API Key)禁止捕获、禁止保存该 Key。
  2. 在不确定是否属于本技能场景时,先追问一句“是否用于 Nano Banana 生图技能?”再决定是否保存。

图生图提示词示例:

  • 让图1的女孩站在图2的背景中

执行命令(优先):

python ~/.whaleclaw/workspace/skills/nano-banana-image-t8/scripts/test_nano_banana_2.py \
  --api-key '<你的key>' \
  --model 'nano-banana-2' --edit-model 'nano-banana-2'

强制文生图模板(WebChat):

python ~/.whaleclaw/workspace/skills/nano-banana-image-t8/scripts/test_nano_banana_2.py \
  --mode text \
  --api-key '<从用户消息提取的key或留空走已保存key>' \
  --prompt '<用户提示词>' \
  --aspect-ratio '<用户比例,如4:3;未提供则auto>' \
  --out-dir '~/.whaleclaw/workspace/nano_banana_test'

技能目录脚本示例(跨机器仅装 SKILL 也可用):

python ~/.whaleclaw/workspace/skills/nano-banana-image-t8/scripts/test_nano_banana_2.py \
  --api-key '<你的key>' \
  --model 'nano-banana-2' --edit-model 'nano-banana-2'

图生图多图示例:

python ~/.whaleclaw/workspace/skills/nano-banana-image-t8/scripts/test_nano_banana_2.py \
  --mode edit \
  --api-key '<你的key>' \
  --edit-model 'nano-banana-2-2k' \
  --prompt '让图1的女孩站在图2的背景中' \
  --input-image '图片1绝对路径' \
  --input-image '图片2绝对路径' \
  --aspect-ratio 'auto'

注意:python 命令会被 WhaleClaw 自动替换为项目内嵌 Python,无需手动指定路径。API Key 必须通过 --api-key 参数传入,不要用环境变量赋值语法(Windows 不支持 KEY=val cmd 格式)。

可选参数:

  • --base-url:默认 https://ai.t8star.cn
  • --size:直接指定像素,如 1024x1024
  • --aspect-ratio:比例模式,如 auto4:316:9(当 --size 为空时生效)
  • --modetext / edit / both
  • --prompt:提示词(WebChat 必传,来自对话框)
  • --input-image:图生图输入图,可重复传多次
  • --out-dir:默认 ~/.whaleclaw/workspace/nano_banana_test

关于 2K:优先通过模型名控制,例如 nano-banana-2-2k,比例参数不一定自动映射到 2K 像素。

若失败,优先返回结构化错误:HTTP 状态码、请求 URL、响应体。 若缺少 Key/提示词/图片,不要执行脚本后台交互,直接在对话里向用户要参数后重试。

工具

  • bash
  • file_read

示例

用户:帮我测一下 nano-banana-2 的文生图和图生图。 助手:执行测试脚本并返回两张输出图片路径与接口响应结果。

Comments

Loading comments...