NanoBanana PPT Skills
WarnAudited by ClawScan on May 10, 2026.
Overview
The PPT-generation purpose is coherent, but the artifacts show credential-handling problems, including a scanned/embedded API-secret literal and overconfident safety claims.
Review and clean up the credential documentation before installing. Use your own scoped Gemini/Kling keys, avoid pasting real keys into shared prompts, rotate any key that might have been exposed, and only process documents you are comfortable sending to the stated AI providers.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A real API key in the package could be abused for API usage or billing, and secret-like examples make it harder to know whether credentials were handled safely.
The artifacts include API-key-shaped literals, and the static scan separately flagged an exposed secret literal in this file. Even if intended as examples, shipped secret-like values create credential exposure and trust issues.
OPENAI_API_KEY=sk-proj-xxxxxxxxxxxxx ... api_key = "AIzaSyAfHE4vctPhMF2mVn96aEZZp8WuURlaGpM"
Remove all key-shaped literals, replace them with obvious placeholders, and rotate/revoke any key that may have been real before publishing.
Users may trust the credential setup too much and paste, store, or publish API keys without sufficient caution.
The documentation makes absolute safety claims about credential handling, which is not appropriate given the included secret-like literal/static scan finding and normal risks around API keys.
现在提交到GitHub,绝对安全! ... Git泄露风险 ████████████ 0%
Replace absolute safety language with realistic guidance, explicitly warn users not to paste real keys into shared contexts, and document how to rotate keys.
Your local environment will trust code and dependencies fetched at install time.
The install path depends on cloning remote code, running a shell installer, and installing unpinned Python packages. This is disclosed and purpose-aligned, but it is still a supply-chain consideration.
git clone https://github.com/op7418/NanoBanana-PPT-Skills.git ... pip install google-genai pillow python-dotenv ... bash install_as_skill.sh
Install in a virtual environment, review the installer before running it, and prefer pinned dependency versions or a lockfile.
Document-derived content and slide images may be processed by Google Gemini/Nano Banana and, if video mode is used, Kling AI.
The workflow sends prompt content and generated slide images to external AI providers for image/video generation. This matches the stated purpose, but users should understand the data boundary.
使用 Nano Banana Pro 生成 16:9 高清 PPT ... 可灵 AI 生成流畅的页面过渡动画 ... 我会读取所有生成的图片
Do not use confidential or regulated documents unless those providers and account settings are approved for that data.
The agent may read the document path you provide and create local output files/directories.
The skill instructs the agent to read user-specified local files and run local Python generation scripts. This is central to the PPT-generation function and is user-directed.
用户: 基于 my-document.md 生成 PPT → 使用 Read 工具读取文件内容 ... python generate_ppt.py --plan slides_plan.json
Only point it at files you intend to process, and run it from a dedicated project directory.