Nano Banana Image Creator
PassAudited by ClawScan on May 10, 2026.
Overview
This skill does what it claims—generate or edit images via Google’s Gemini image API—but users should understand it sends prompts/images to Google and requires a Gemini API key.
This skill appears safe for its stated purpose. Before installing, make sure you trust sending image prompts and any selected input images to Google’s Gemini API, use an environment variable for your API key when possible, and be aware that `uv run` may install or resolve the declared Python dependencies.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private prompts or images used for editing may be transmitted to Google’s API.
The script sends the user prompt and, for edits, the selected input image to Google’s Gemini image API. This is disclosed and purpose-aligned, but it means user-provided content leaves the local environment.
response = client.models.generate_content(
model="gemini-3-pro-image-preview",
contents=contents,Do not use sensitive or confidential images/prompts unless you are comfortable sending them to the Gemini API under Google’s terms.
A Gemini API key is needed and could be exposed in chat history or command logs if passed directly as an argument.
The skill requires a Gemini API key, which is expected for the stated provider integration. Passing a key in chat or on the command line is more exposed than using an environment variable.
The script checks for API key in this order: 1. `--api-key` argument (use if user provided key in chat) 2. `GEMINI_API_KEY` environment variable
Prefer setting `GEMINI_API_KEY` in the environment instead of pasting API keys into chat or command arguments.
Future package versions could change behavior or introduce compatibility/security issues.
The script relies on runtime-resolved Python dependencies with minimum-version ranges rather than exact pins. This is common for `uv run` scripts but gives less reproducibility than pinned dependencies.
# dependencies = [ # "google-genai>=1.0.0", # "pillow>=10.0.0", # ]
Use trusted package indexes and consider pinning exact dependency versions if reproducibility is important.
Installing and using the skill allows the agent to run this local image-generation script when invoked.
The skill instructs the agent to execute a local Python helper script. This is central to the skill’s purpose and the included source is straightforward, but it is still local code execution.
uv run ~/.codex/skills/nano-banana-pro/scripts/generate_image.py --prompt "your image description" --filename "output-name.png"
Review the script before use if you have strict local-execution policies; no hidden or unrelated commands were found in the provided source.