ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nano Triple

v1.2.0

3 images, one prompt, instant A/B/C. Nano Banana Pro's natural randomness gives you three distinct takes on any image idea — generated in parallel. Pick the...

0· 894·0 current·0 all-time
byMatt Van Horn@mvanhorn
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Description says 'generate 3 images' which is reasonable, but the SKILL.md expects an external script at ~/.npm-global/lib/node_modules/clawdbot/skills/nano-banana-pro/scripts/generate_image.py and the 'uv' runner; those runtime dependencies are not declared in the skill metadata (no required binaries, no install). That is disproportionate to the stated simple purpose.
!
Instruction Scope
Runtime instructions explicitly run three local commands that execute a script from the user's ~/.npm-global path. The SKILL.md also says it will use GEMINI_API_KEY from environment or openclaw config. The manifest did not declare these filesystem paths or env vars. Executing a script from a user home path and implicitly reading an API key are out-of-band actions not disclosed in the skill metadata.
Install Mechanism
This is instruction-only (no install spec), which is low-risk in principle, but the instructions assume a separately installed npm package and a 'uv' runner. Because the skill will invoke code that lives outside the skill bundle, it implicitly depends on third-party software that isn't installed or verified by the manifest.
!
Credentials
SKILL.md states it uses GEMINI_API_KEY from environment or openclaw config, but the registry metadata lists no required env vars or primary credential. Requesting an API key for an image-generation backend would be proportional if declared; here the credential access is undisclosed and therefore suspicious.
Persistence & Privilege
The skill does not request always:true or elevated persistence. It allows autonomous invocation (the platform default), which by itself is expected and not flagged. The primary concerns are undeclared runtime actions, not persistence privileges.
What to consider before installing
This skill's instructions run a script from ~/.npm-global and say they will use GEMINI_API_KEY, but the skill metadata does not declare those requirements. Before installing or enabling: (1) Verify the referenced repository/package (https://github.com/mvanhorn/nano-triple and the nano-banana-pro package) and inspect the generate_image.py script for what it does; (2) Confirm you have and trust the 'uv' runner and any npm package at ~/.npm-global — running files from your home directory can execute arbitrary code; (3) Only provide a GEMINI_API_KEY if you trust the implementation and know where requests will be sent; (4) If you cannot inspect the external script or do not trust the package source, do not enable this skill. Asking the skill author to declare required env vars, binaries, and the exact network endpoints would resolve the main concerns.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎨 Clawdis
latestvk973prqg4hqmp6aezj0wk65sbx82e9v6
894downloads
0stars
3versions
Updated 8h ago
v1.2.0
MIT-0
Matt Van Horn@mvanhorn
latest
Download

Nano Triple: 3 Images, Same Prompt, You Pick

When user wants an image, generate 3 versions and let them pick or refine.

Flow

Step 1: User Gives Their Prompt

User says: "make me an image of a sunset over mountains"

Step 2: Generate 3 Images with THE SAME PROMPT

Use the user's EXACT prompt for all 3. Don't modify it, don't get creative. The model's inherent randomness will produce 3 different results.

Run all 3 in parallel:

# Same prompt, 3 times
uv run ~/.npm-global/lib/node_modules/clawdbot/skills/nano-banana-pro/scripts/generate_image.py \
  --prompt "[USER'S EXACT PROMPT]" \
  --filename "option-1.png" --resolution 1K

uv run ~/.npm-global/lib/node_modules/clawdbot/skills/nano-banana-pro/scripts/generate_image.py \
  --prompt "[USER'S EXACT PROMPT]" \
  --filename "option-2.png" --resolution 1K

uv run ~/.npm-global/lib/node_modules/clawdbot/skills/nano-banana-pro/scripts/generate_image.py \
  --prompt "[USER'S EXACT PROMPT]" \
  --filename "option-3.png" --resolution 1K

Step 3: Send All 3 Images Labeled 1, 2, 3

Send each image with just the number:

  • 1 [image]
  • 2 [image]
  • 3 [image]

NO descriptions. NO creativity. Just 1, 2, 3 and the images.

Step 4: User Picks or Gives Feedback

  • "2" → Done, that's the winner
  • "1 but warmer colors" → Generate 3 MORE with their feedback applied
  • "none, try again" → Generate 3 more with same prompt

Key: Feedback on any option = 3 new images with that feedback applied

Example

User: make me an image of a cat wearing a top hat

You: Generate 3 images using that exact prompt, send as 1, 2, 3

User: 2 but bigger hat

You: Generate 3 MORE images with "bigger hat" added to prompt, send as 1, 2, 3

User: 3

You: 👍

Rules

  1. Always 3 images - Same prompt, 3 outputs
  2. No creativity - Use user's exact prompt
  3. Label 1, 2, 3 - No descriptions
  4. Feedback = 3 more - Any edit request generates 3 new options

API Key

Uses GEMINI_API_KEY from environment or openclaw config.

Comments

Loading comments...