ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

nano banana image to image

v1.0.1

Edit or combine images by applying styles or elements from one image to another while preserving identity, pose, and lighting using AtlasCloud Nanobanana model.

0· 65·0 current·0 all-time
by@guilherme-funchal

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for guilherme-funchal/nano-banana-atlas-ai.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "nano banana image to image" (guilherme-funchal/nano-banana-atlas-ai) from ClawHub.
Skill page: https://clawhub.ai/guilherme-funchal/nano-banana-atlas-ai
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install nano-banana-atlas-ai

ClawHub CLI

Package manager switcher

npx clawhub@latest install nano-banana-atlas-ai
Security Scan
Capability signals
CryptoRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and instructions match the stated purpose (calling AtlasCloud's Nanobanana edit model). Declared runtime needs (node/npm/axios) align with the included generate.js. However, the repository contains a .env with a hardcoded ATLASCLOUD_API_KEY and sample outputs (last_url.txt, last_result.json) even though the skill's metadata declares no required env vars — this mismatch is unexpected and should be explained.
Instruction Scope
SKILL.md keeps to the task: it tells the agent to obtain an AtlasCloud token (from memory or by asking the user), write params.json, run node generate.js, then read last_url.txt and return that URL. The instructions do not ask the agent to read unrelated system paths or external services. One oddity: the strong insistence to read last_url.txt (not conversation history) is unusual but consistent with how the script writes outputs.
Install Mechanism
There is no external download/install step in the manifest (instruction-only), and dependencies are standard (axios via npm). package.json/package-lock.json are included so installing via npm is expected and not high-risk. The SKILL.md's embedded install metadata recommending installing axios is redundant but not harmful.
!
Credentials
The skill requests no environment variables in metadata, but the shipped files include .env with ATLASCLOUD_API_KEY=apikey-... (hardcoded credential). That is disproportionate/unexpected: either this is a leftover sample key (still risky), or it leaks a credential. The code itself expects a token argument; it does not automatically read .env, but the presence of the key in the bundle increases the risk of accidental leak or misuse. The script also logs full HTTP responses during polling, which may expose sensitive info in logs.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is user-invocable. It writes files (last_url.txt, last_result.json) in its own directory — expected for a client script but consider their presence when sharing the workspace.
Scan Findings in Context
[hardcoded-credential] unexpected: .env contains a hardcoded ATLASCLOUD_API_KEY value. The skill's metadata did not declare required env vars; embedding an API key in the package is unexpected and risky (could be a sample key, but it should be removed or rotated).
[verbose-network-logging] expected: generate.js logs the full GET response body on each poll (console.log of res.data). This is useful for debugging but can leak tokens, endpoints, or other metadata in logs; expected for a client but privacy-sensitive.
[external-endpoints] expected: The code calls https://api.atlascloud.ai and the sample outputs reference atlas-media / atlas-img OSS URLs (aliyuncs). Those endpoints are consistent with the declared AtlasCloud purpose.
What to consider before installing
This package is basically an AtlasCloud image-to-image client and appears to do what it claims, but take precautions before installing or running it: - Treat the included .env API key as untrusted. Do not use it; if you need to test, provide your own AtlasCloud token. Remove or rotate any embedded keys before sharing the package. - The script logs full API responses and writes last_url.txt / last_result.json to disk; run it in an isolated environment if the images or logs are sensitive. - Confirm you trust the AtlasCloud endpoints (api.atlascloud.ai and the OSS image hosts) and that you want those external network calls. - Prefer entering your token at runtime rather than relying on any files in the skill bundle or saving tokens into shared memory. If you want a cleaner/safer package: remove the .env file (or replace with a placeholder), reduce log verbosity, and document whether the included ATLASCLOUD_API_KEY is a demo key and whether it is valid.
!
generate.js:116
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk971k95kfamnam2cjetq3450es85ewk3
65downloads
0stars
2versions
Updated 3d ago
v1.0.1
MIT-0
@guilherme-funchal
latest
Download

Atlas Nanobanana Image-to-Image 🖼️

Edits and combines images using the AtlasCloud Nanobanana 2 Edit model (google/nano-banana-2/edit).

Token Setup

Before generating images, you need the user's AtlasCloud API token.

  • Check memory for atlascloud_token.
  • If not found, ask the user: "Please provide your AtlasCloud API token to get started."
  • Save the token to memory as atlascloud_token so it is not needed again.

How to Generate an Image

Step 1: Write the params to {baseDir}/params.json.

Step 2: Run the script:

node {baseDir}/generate.js <TOKEN> {baseDir}/params.json

Step 3 — REQUIRED: After the script finishes, run this bash command to read the generated URL:

cat {baseDir}/last_url.txt

⚠️ CRITICAL: Step 3 is mandatory and irreplaceable. The correct URL is ONLY in last_url.txt. Run cat as a separate bash command and use the exact text returned. Never use a URL from the conversation history, previous files in the context, or any other source.

Report the URL from last_url.txt to the user.

params.json — Payload Correto

⚠️ IMPORTANT: Never include media_resolution in the payload — it causes an HTTP 500 error.

{
  "prompt": "Replace the dress on the model in image 0 with the dress from image 1. Preserve identity, face, pose, and lighting.",
  "images": [
    "https://url-of-base-image.png",
    "https://url-of-reference-image.png"
  ],
  "aspect_ratio": "16:9",
  "output_format": "png",
  "resolution": "1k",
  "enable_base64_output": false,
  "enable_sync_mode": false,
  "enable_web_search": false,
  "enable_image_search": false
}

Available Fields

| Field | Required | Default | Options |

|---|---|---|---| | prompt | ✅ yes | — | any text | | images | ✅ yes | — | array of 1–4 URLs | | aspect_ratio | no | 16:9 | 1:1 | 4:3 | 3:4 | 16:9 | 9:16 | 21:9 | | resolution | no | 1k | 1k | 2k | 4k | | output_format | no | png | png | jpeg | | enable_web_search | no | false | true | false | | enable_image_search | no | false | true | false | | enable_base64_output | no | false | true | false | | enable_sync_mode | no | false | true | false | Do not include media_resolution — it causes a 500 error.

Prompt Tips for Image-to-Image

  • Refer to images by position: "image 0" (base), "image 1" (reference).
  • State clearly what to preserve: face, pose, proportions, lighting, background.
  • State clearly what to replace: the clothing, the background, the style.
  • Use negative instructions: "DO NOT change the face", "DO NOT transfer human elements from image 1".

Error Handling

ErrorProbable CauseSolution

| HTTP 500 | media_resolution present in payload | Remove media_resolution from params.json | | HTTP 500 | Invalid or expired token | Request a new token from the user and refresh memory | | Link does not update | Step 3 was not executed | Run cat {baseDir}/last_url.txt as a bash command | | Timeout | Resolution too high | Try again with "resolution": "1k" | | Job failed | Image URLs inaccessible | Check if images are public |

When to use this skill:

  • "swap the clothes in this photo"
  • "apply the style from image 1 to image 0"
  • "edit this image using another as a reference"
  • "change clothes in the photo"
  • "combine two images with AI"

Comments

Loading comments...