ClawHub
Back to skill
v0.1.8

Nano Banana Image T8

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:13 AM.

Analysis

This skill appears purpose-aligned for generating or editing images, but it uses and stores a Nano Banana API key and sends prompts/images to an external API.

GuidanceThis looks coherent for an image-generation skill. Before installing, make sure you trust the external API provider and are comfortable with the skill storing a Nano Banana API key under your WhaleClaw credentials directory and sending prompts/images to https://ai.t8star.cn.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
SKILL.md
使用技能自带脚本执行联调(优先):`~/.whaleclaw/workspace/skills/nano-banana-image-t8/scripts/test_nano_banana_2.py`

The skill expects the agent to run an included Python script through bash. This is disclosed and directly related to the skill’s purpose, but users should notice that local code execution is part of normal operation.

User impactUsing the skill may run the bundled Python helper script on the local machine to call the image API and save outputs.
RecommendationReview the bundled script and only install it in an environment where running local helper code is acceptable.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
API Key 来自用户对话消息,执行时通过 `--api-key` 或环境变量传入;脚本会落盘到 `~/.whaleclaw/credentials/nano_banana_api_key.txt`(权限 600)。

The skill requires a user-provided API key and saves it locally for reuse. This is expected for the service integration and disclosed, but it is still sensitive credential handling.

User impactAnyone installing the skill should understand that the Nano Banana API key may be stored locally and reused for later image-generation requests.
RecommendationUse a dedicated API key with limited scope if available, monitor usage, and delete or rotate the key if you stop trusting the skill or the machine.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
SKILL.md
API 基地址固定为 `https://ai.t8star.cn`... 图生图取用户提示词 + 用户上传图片路径(`--input-image` 可重复)

The skill discloses that prompts and uploaded image files are used with an external API endpoint. This is central to image generation/editing, but it means user content leaves the local environment.

User impactPrompts and any images used for image-to-image editing may be transmitted to the external Nano Banana/T8 API service.
RecommendationAvoid submitting private, confidential, or regulated images/prompts unless you trust the API provider and its data handling.