critical
suspicious.exposed_secret_literal
- Location
- API_MANAGEMENT.md:64
- Finding
- File appears to expose a hardcoded API secret or token.
NanoBanana PPT Skills
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A real API key in the package could be abused for API usage or billing, and secret-like examples make it harder to know whether credentials were handled safely.
Why it was flagged
The artifacts include API-key-shaped literals, and the static scan separately flagged an exposed secret literal in this file. Even if intended as examples, shipped secret-like values create credential exposure and trust issues.
Skill content
OPENAI_API_KEY=sk-proj-xxxxxxxxxxxxx ... api_key = "AIzaSyAfHE4vctPhMF2mVn96aEZZp8WuURlaGpM"
Recommendation
Remove all key-shaped literals, replace them with obvious placeholders, and rotate/revoke any key that may have been real before publishing.
What this means
Users may trust the credential setup too much and paste, store, or publish API keys without sufficient caution.
Why it was flagged
The documentation makes absolute safety claims about credential handling, which is not appropriate given the included secret-like literal/static scan finding and normal risks around API keys.
Skill content
现在提交到GitHub,绝对安全! ... Git泄露风险 ████████████ 0%
Recommendation
Replace absolute safety language with realistic guidance, explicitly warn users not to paste real keys into shared contexts, and document how to rotate keys.
What this means
Your local environment will trust code and dependencies fetched at install time.
Why it was flagged
The install path depends on cloning remote code, running a shell installer, and installing unpinned Python packages. This is disclosed and purpose-aligned, but it is still a supply-chain consideration.
Skill content
git clone https://github.com/op7418/NanoBanana-PPT-Skills.git ... pip install google-genai pillow python-dotenv ... bash install_as_skill.sh
Recommendation
Install in a virtual environment, review the installer before running it, and prefer pinned dependency versions or a lockfile.
What this means
Document-derived content and slide images may be processed by Google Gemini/Nano Banana and, if video mode is used, Kling AI.
Why it was flagged
The workflow sends prompt content and generated slide images to external AI providers for image/video generation. This matches the stated purpose, but users should understand the data boundary.
Skill content
使用 Nano Banana Pro 生成 16:9 高清 PPT ... 可灵 AI 生成流畅的页面过渡动画 ... 我会读取所有生成的图片
Recommendation
Do not use confidential or regulated documents unless those providers and account settings are approved for that data.
What this means
The agent may read the document path you provide and create local output files/directories.
Why it was flagged
The skill instructs the agent to read user-specified local files and run local Python generation scripts. This is central to the PPT-generation function and is user-directed.
Skill content
用户: 基于 my-document.md 生成 PPT → 使用 Read 工具读取文件内容 ... python generate_ppt.py --plan slides_plan.json
Recommendation
Only point it at files you intend to process, and run it from a dedicated project directory.