nano banana pro pptx
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears purpose-aligned for generating Gemini-powered PowerPoint decks, with expected but important notes about API-key use, external Gemini requests, runtime dependencies, and output-path ambiguity.
This skill looks coherent for creating AI-generated PPTX decks. Before installing or running it, protect your Gemini API key, avoid sensitive prompt content unless you trust the configured endpoint, be aware that `uv run` may resolve unpinned dependencies, and use the default output path unless you are comfortable with the script creating an output directory.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill must provide a Gemini API key, so accidental exposure of that key could allow unauthorized API use.
The skill requires a Gemini API key to call the Gemini service. This is expected for the stated purpose, but the key may allow API usage and billing.
GEMINI_API_KEY — required (or pass --api-key)
Prefer setting the key in an environment variable or secret manager rather than pasting it into chat or command history; use a restricted key if possible.
Presentation topics or slide text may be transmitted to Gemini, or to a user-specified custom/proxy base URL.
The script sends the presentation topic and generated slide prompts to Gemini for planning and image generation. This external provider flow is disclosed and central to the skill.
client.models.generate_content(model="gemini-3.1-pro-preview", contents=system_instruction)
Do not include confidential information in prompts unless you are comfortable sending it to the configured Gemini endpoint; only use trusted custom base URLs.
Running the skill may install or use whatever compatible package versions are resolved at that time.
The script declares package dependencies without version pins. This is common for simple uv-run scripts, but it means dependency versions may change over time.
# dependencies = [ # "google-genai", # "python-pptx", # "Pillow", # ]
Run in a controlled environment and consider pinning or locking dependency versions for repeatable, auditable use.
A user may expect a specific PPTX filename but instead get a directory created with that name.
The code treats `--filename` as an output directory name, while SKILL.md describes it as an output `.pptx` filename or full path. This is an instruction/behavior mismatch, not evidence of malicious behavior.
parser.add_argument("--filename", default=None, help="Output directory name (default: auto-generated from prompt)")Use the default output naming unless you understand the script's directory behavior; the skill author should clarify the `--filename` documentation.