ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nano Banana Image

v1.0.0

Generate and edit AI images with NanoBanana (Gemini-based) via AceDataCloud API. Use when creating images from text prompts or editing existing images with t...

0· 66·0 current·0 all-time
by@germey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (generate/edit images via AceDataCloud NanoBanana) aligns with the curl examples and editing workflows in SKILL.md. Requesting an ACEDATACLOUD_API_TOKEN is coherent for this purpose. However, the registry metadata claims 'Required env vars: none' and 'Primary credential: none', which contradicts the SKILL.md that explicitly requires ACEDATACLOUD_API_TOKEN.
Instruction Scope
The runtime instructions are narrowly scoped to calling AceDataCloud endpoints (https://api.acedata.cloud/…) and optional installation/use of an MCP helper package. The SKILL.md does not instruct reading unrelated files, other environment variables, or sending data to unexpected third parties.
Install Mechanism
There is no install spec (instruction-only), which reduces risk. The documentation suggests 'pip install mcp-nano-banana' as an optional helper; installing third-party Python packages can run arbitrary code, and the package origin isn't verified in the SKILL.md. This is expected for optional tooling but worth checking before installing.
!
Credentials
The SKILL.md requires ACEDATACLOUD_API_TOKEN (appropriate for calling the API), but the skill metadata lists no required environment variables or primary credential. The SKILL.md referencing an env var that isn't declared in the registry is a manifest inconsistency and could lead to unexpected behavior or user confusion. Ensure the token scope and privileges are minimized before providing it.
Persistence & Privilege
The skill is instruction-only, has always:false, and does not request persistent system privileges or attempt to modify other skills or global agent settings. Autonomous invocation is allowed (platform default) but does not combine with other high-risk flags here.
What to consider before installing
This skill appears to do what it says (call AceDataCloud's NanoBanana image API). Before installing or using it: 1) Note the SKILL.md requires ACEDATACLOUD_API_TOKEN, but the registry metadata omitted that — treat that as a metadata error and avoid pasting tokens into unknown UIs until you confirm where the token will be stored and used. 2) Be aware that using the skill will send prompts and image URLs to https://api.acedata.cloud — do not send sensitive images or PII unless you trust the service and understand your account's data retention/policy. 3) The SKILL.md suggests an optional pip package (mcp-nano-banana); only install it if you inspect the package source (PyPI/GitHub) and accept its code. 4) Prefer creating a limited-scope API token for this skill and revoke it if you stop using the integration. If you want higher assurance, ask the publisher to update the registry metadata to declare ACEDATACLOUD_API_TOKEN as a required/primary credential and to document the provenance of the mcp-nano-banana package.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f9ckyca6tkpe910mka1dnn183d52g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments