Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
materials-science-figure-skill
v1.0.5Use when the user wants to generate or edit images with Google's Nanobanana/Gemini image models using the official Gemini API shape, or when they need public...
⭐ 0· 221·0 current·0 all-time
bySiyu Liu@grenzlinie
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, required env vars (NANOBANANA_API_KEY, NANOBANANA_BASE_URL), and the included Python/optional Node scripts all match the declared purpose of Gemini-style image generation and local publication plotting. The JS files are presented as an optional parity CLI and Python is the canonical runtime — this is consistent.
Instruction Scope
SKILL.md instructs the agent to build prompts, optionally run local plotting, and call a Gemini-compatible generateContent endpoint with API key and any input images. The instructions confine file reads/writes to included templates, prompt/spec files, and output directories; they explicitly require explicit consent to use third-party endpoints. There are no instructions to read unrelated system files or exfiltrate arbitrary environment variables.
Install Mechanism
This is instruction-only (no install spec), which is low-risk. However, the bundled scripts depend on Python libraries (matplotlib, numpy) and Node's fetch/runtime for the JS parity CLI; those dependencies are not declared in an install spec. You will need an appropriate Python environment (and possibly Node) to run the scripts.
Credentials
Only NANOBANANA_API_KEY and NANOBANANA_BASE_URL (plus optional NANOBANANA_API_KEY_FILE and NANOBANANA_ALLOW_THIRD_PARTY) are requested, which is proportionate to calling a Gemini-compatible API. The primaryEnv is the API key, which is expected. The skill also documents safer key handling (API key file, avoiding CLI exposure).
Persistence & Privilege
No elevated privileges requested. always is false and disable-model-invocation is true (agent will not autonomously invoke the skill), and the skill does not attempt to modify other skills or system-wide settings.
Assessment
This skill appears to do what it says: local plotting (plot mode) and Gemini-style image generation (image mode). Before installing, consider: 1) Only set NANOBANANA_API_KEY and NANOBANANA_BASE_URL for a provider you trust — image inputs and the API key will be sent to that endpoint. Prefer the official Google endpoint; enabling third-party endpoints requires an explicit allow flag or env var. 2) Use NANOBANANA_API_KEY_FILE or environment variables rather than putting keys on the command line to avoid shell-history exposure. 3) plot mode runs entirely locally and does not require network access or an API key. 4) Ensure your environment has the required Python packages (matplotlib, numpy) and/or Node if you plan to use the JS CLI — these dependencies are not auto-installed. 5) Review any third-party base_url carefully because it will receive uploaded images and the API key. Overall the skill is coherent and proportionate, not suspicious, but follow the guidance above to reduce operational risk.scripts/generate_image.js:9
Environment variable access combined with network send.
scripts/generate_image.js:14
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9702jm23det6mz86gf75zr4z5830jwa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Any binpython3, python
EnvNANOBANANA_API_KEY, NANOBANANA_BASE_URL
Primary envNANOBANANA_API_KEY