Skillv1.0.1

ClawScan security

nano banana text to image in Atlas AI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 28, 2026, 12:10 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it says (call AtlasCloud to generate images) but has mismatches between its manifest and runtime instructions (it needs a token and node), asks to store a secret in agent memory, and writes results to disk — review these inconsistencies before installing.
Guidance: This skill appears to implement AtlasCloud text→image generation, but there are a few things to check before installing: 1) The SKILL.md and generate.js require the node binary and an AtlasCloud API token, yet the registry metadata doesn’t declare those — treat that as a packaging oversight or ask the author for clarification. 2) The skill asks the agent to save the AtlasCloud token to memory; if you’re cautious, prefer to provide a short-lived or limited-scope token and confirm how long the platform persists memory. 3) The script writes last_result.json and last_url.txt to disk (in the skill folder); consider whether you’re comfortable with those artifacts on the host. 4) Review generate.js yourself (it’s short and uses only https/http/fs) and verify the AtlasCloud endpoints are expected. If you don’t trust the source or cannot confirm the missing metadata, don’t install or provide long-lived/high-privilege credentials.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose is text→image via AtlasCloud Nanobanana which matches the included generate.js. However the registry metadata lists no required binaries or credentials while SKILL.md (and the script) require the node binary and an AtlasCloud API token. The manifest/requirements and SKILL.md are inconsistent.
Instruction Scope: noteSKILL.md instructs the agent to check memory for atlascloud_token, ask the user for it if absent, save it to memory, write params to {baseDir}/params.json, run a local node script, and extract an IMAGE_URL from stdout. Those steps are coherent with the stated task, but the explicit instruction to persist the token in memory and to log/print full API responses (the script logs the entire poll response) are sensitive behaviors that should be acknowledged.
Install Mechanism: okThere is no install spec (instruction-only with an included generate.js). No external downloads or package installs are performed; the Node script uses only built-in Node modules and package.json has no dependencies. This is low-install risk.
Credentials: concernThe skill requires a user AtlasCloud API token at runtime (SKILL.md and generate.js expect it) but the registry metadata declares no required env vars or primary credential. Asking the agent to store the token in memory introduces persistence of a secret. The requested/used credentials are plausible for the feature, but the lack of declaration is an inconsistency and storing secrets in memory should be considered.
Persistence & Privilege: noteThe skill does not request 'always' or other elevated privileges and will not autonomously persist itself. It does, however, instruct/perform writing of last_result.json and last_url.txt next to the script and asks the agent to save the token to memory — local file writes and memory storage are normal for this use but are persistent artifacts the user should be aware of.