Paperbanana
v0.1.1Generate publication-quality academic diagrams, methodology figures, architecture illustrations, and statistical plots from text descriptions using the Paper...
⭐ 0· 281·0 current·0 all-time
byBennett@goatinahat
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included scripts and README. The skill requires an LLM/VLM provider API key (Gemini/OpenAI/OpenRouter) and the 'uv' binary to run the packaged Python scripts — these are reasonable for an on-demand diagram/plot generation skill. The declared primary credential (GOOGLE_API_KEY) fits the documented auto-detection priority (Gemini → OpenAI → OpenRouter).
Instruction Scope
Runtime instructions and scripts explicitly read user-provided inputs (text files, CSV/JSON, image paths) and send them to external LLM/VLM providers for planning, image generation, and evaluation. Generated images may also be sent back to the provider for VLM-based evaluation. This is documented in SKILL.md and is coherent with the stated purpose, but it means any data you pass (including files you point to) will be transmitted to third-party APIs.
Install Mechanism
There is no registry install spec; the skill relies on 'uv' to create an isolated environment and install the PyPI package 'paperbanana[all-providers]'. Using PyPI for the package is expected. The README suggests installing 'uv' via a curl | sh one-liner (remote install script) — that is common but has the usual remote-install risks; verify the 'uv' install script and the PyPI package/project before running.
Credentials
The skill requests provider API keys (GOOGLE_API_KEY, OPENAI_API_KEY, OPENROUTER_API_KEY) which are necessary for the LLM/VLM and image-generation work it performs. No unrelated credentials, secrets, or system config paths are requested. Minor metadata mismatch: registry lists 'Required env vars: none' while primaryEnv is set to GOOGLE_API_KEY and SKILL.md says at least one provider key is required — this is a documentation inconsistency but not a functional mismatch.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent system privileges. It writes transient output under /tmp and does not modify other skills or system-wide configs. API keys are read from the environment/config and are not persisted by the skill.
Assessment
This skill appears internally consistent and implements the advertised workflow, but remember: (1) it sends whatever text, CSV/JSON, and images you provide to external LLM/VLM/image APIs — don't use it with sensitive or proprietary data unless your policy allows it; (2) it relies on 'uv' and a PyPI package (paperbanana[all-providers]) — verify the PyPI project and the GitHub repos linked in the SKILL.md/README before installing; (3) the README suggests installing 'uv' via a curl|sh command — review that script before running it; (4) provide a provider API key with appropriate billing/permissions and consider using a dedicated key/account for this skill to limit blast radius. The small documentation inconsistency about 'required env vars' is minor but worth noting.Like a lobster shell, security has layers — review code before you run it.
latestvk97exn4bafrqqahv5thyhahq7n8228b6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🍌 Clawdis
Binsuv
Primary envGOOGLE_API_KEY