Skillv0.1.5

ClawScan security

Nano Banana Image T8 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 5:45 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it claims (call a Nano Banana image API using a bundled script) but contains inconsistencies and a concrete risk where the saved API key could be leaked when the script follows image URLs returned by the service.
Guidance: This skill is mostly coherent with its stated purpose but contains a few things to review before installing or using it with real credentials: - The script will save any provided API key to ~/.whaleclaw/credentials/nano_banana_api_key.txt (mode 600). If you allow the skill to store a key, be prepared to rotate it if you later uninstall the skill. - The script follows image URLs returned by the API and performs HTTP GET on them. If the http client includes your Authorization header when fetching those URLs, your API key could be leaked to whatever host is referenced in the response (third-party CDN or an internal IP). Ask the maintainer or inspect/patch the script so that requests to image URLs do not include the Authorization header (or validate/whitelist hosts before fetching). - SKILL.md forbids changing the base URL but the script accepts a --base-url argument; decide whether you trust the script caller to adhere to the policy. An attacker or misconfiguration could point --base-url to a different host. - The script's internal default model string (e.g., gemini-3.1-flash-image-preview) differs from the external display names in the SKILL.md. That is likely benign but worth noting if you care about model-identifiers being revealed. - Registry metadata lists no required env vars but the skill expects an API key param mapped to NANO_BANANA_API_KEY — this metadata mismatch may affect automated tooling. Confirm how your agent platform will surface the API key prompt and where the key will be stored. If you decide to use it: inspect the script (or request a change) so that (1) when fetching image URLs it strips Authorization and other sensitive headers, (2) it validates/whitelists hosts for external fetches, and (3) behavior around default model display vs internal identifiers is explicit. If you cannot inspect or modify the script, consider using a throwaway/limited-scope API key.

Review Dimensions

Purpose & Capability: noteName/description, SKILL.md, and the included script all point to an image-generation/test helper for a Nano Banana API — that is coherent. However, registry metadata says no required env vars while SKILL.md enforces an API key parameter (and the script expects an API key), which is an inconsistency. Also SKILL.md insists the base URL is fixed to https://ai.t8star.cn, but the script exposes a --base-url option (inconsistent).
Instruction Scope: concernSKILL.md instructs the agent to use the included script and to only capture and save API keys in tightly constrained situations — which is consistent with the script's behavior. The script, however, will fetch arbitrary URLs returned in the API response (client.get(url_value)). If those URLs point to third-party or internal hosts, the script performs HTTP requests to them, which is broader network activity than 'just calling the API' and can lead to data leakage or SSRF-like risks.
Install Mechanism: okNo install spec; this is instruction-only with a bundled script. Nothing is downloaded or executed from external installers during install, which is low risk.
Credentials: concernRequesting and persisting a single API key is reasonable for this task. But registry metadata claiming no required env vars conflicts with SKILL.md's param guard that requires an API Key (and maps it to env var NANO_BANANA_API_KEY). The script writes the API key to ~/.whaleclaw/credentials/nano_banana_api_key.txt (permission 600) which is expected, but the code also uses an http client to fetch arbitrary image URLs returned by the API — if that client forwards the Authorization header when fetching those URLs it could leak the saved API key to third-party/internal hosts.
Persistence & Privilege: noteThe skill persists the API key and an optionally saved default model under the user's home directory (~/.whaleclaw). always: false, and it does not request system-wide changes or modify other skills. Persisting user API keys is expected behavior for a client tool, but the user should be aware keys are stored on disk.