ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nano Banana Pro 1.0.1

v1.0.0

Generate/edit images with Nano Banana Pro (Gemini 3 Pro Image). Use for image create/modify requests incl. edits. Supports text-to-image + image-to-image; 1K...

0· 114·11 current·13 all-time
by@guogithubname·duplicate of @namebekc/my-nano-image
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, SKILL.md, and script all describe an image-generation/editing skill using Google's Gemini (genai) API — this is coherent. However, the skill registry declares no required credentials or binaries while the runtime actually needs an API key (GEMINI_API_KEY or --api-key) and the 'uv' runner. The package metadata ownerId in _meta.json does not match the registry Owner ID, which is a red flag about provenance or bundling.
Instruction Scope
The SKILL.md instructions are narrowly scoped to generating or editing images: they describe how to run the script, how to pass prompts/filenames, resolution mapping, and basic preflight checks (uv exists, API key present, input image file exists). The script only reads the provided input image path (if any) and the GEMINI_API_KEY env var; it does not attempt to read unrelated files or system configuration.
Install Mechanism
There is no install spec (instruction-only skill with one local script). The Python script lists dependencies in comments (google-genai, pillow) but does not download anything at install time. No external, arbitrary download URLs or extract operations are present.
!
Credentials
The script requires an API key (GEMINI_API_KEY or passed via --api-key) to function, but the registry metadata declares no required environment variables or primary credential. Additionally, the SKILL.md expects the 'uv' runner but the registry lists no required binaries. These omissions are disproportionate to the declared metadata and increase the risk of accidental misuse (for example users pasting API keys into chat to supply --api-key).
Persistence & Privilege
The skill does not request persistent/always-on privileges (always:false), does not modify other skills or global agent configuration, and has no special OS restrictions. Autonomous invocation is allowed but is the platform default and not by itself a concern.
What to consider before installing
This skill appears to do what it claims (image generation via Google Gemini), but there are configuration and provenance issues you should address before installing or using it: 1) The runtime requires a Gemini API key (GEMINI_API_KEY) and the 'uv' runner, but those are not declared in the registry metadata — treat this as a packaging/metadata bug. 2) Do not paste your API key into a chat to provide --api-key; prefer setting GEMINI_API_KEY locally in a secure environment. 3) The ownerId in _meta.json differs from the registry Owner ID — verify the skill's source and author (no homepage provided). 4) If you proceed, run the script in an isolated environment, confirm the google-genai/pillow dependencies come from trusted registries, and consider setting least-privilege API keys (limited scope/quota) for testing. If the author cannot explain the metadata omissions and owner mismatch, prefer not to install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fcs82v8njjjd869q2pr7vex83k2n2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments