ClawHub

Nano Banana 2

v0.1.1

Generate images with Google Gemini 3.1 Flash Image Preview (Nano Banana 2) via inference.sh CLI. Capabilities: text-to-image, image editing, multi-image inpu...

5· 2.2k·17 current·19 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description claim (generate/edit images via Google Gemini 3.1 Flash Image Preview) aligns with the runtime instructions: the SKILL.md tells the agent to install and use the inference.sh CLI to run google/gemini-3-1-flash-image-preview. There are no unrelated requirements or capabilities requested.
!
Instruction Scope
The SKILL.md explicitly instructs the user/agent to run a remote installer (curl -fsSL https://cli.inference.sh | sh) and to run 'infsh login' before using apps. This downloads and executes a third-party binary and initiates a login flow (credential handling) that the skill metadata does not declare. The instructions also send prompts and input images to the external inference.sh service (expected for the stated purpose) but the install+login steps extend the scope beyond simple local commands.
!
Install Mechanism
There is no formal install spec in the registry metadata; instead the SKILL.md recommends running a remote install script (pipe-to-sh) that fetches a binary from dist.inference.sh. Even though the doc mentions checksum verification, piping a remote script to sh and installing a third-party binary is higher-risk than an instruction-only skill and writes persistent binaries/config to the system.
Credentials
The skill metadata declares no required environment variables or credentials, but the runtime instructions call 'infsh login', which implies that API keys or an account will be created/stored. The absence of declared credentials is an information gap — the login step will likely store tokens or require secrets that the registry metadata did not advertise.
Persistence & Privilege
The skill does not request 'always: true' and has no declared config-path or system-wide modifications. However, following the install instructions will add a third-party CLI binary and likely persistent credentials/config produced by 'infsh login' to the host; that is normal for a CLI but is a persistent side effect users should be aware of.
What to consider before installing
This skill appears to do what it says (use inference.sh to run Gemini image apps) but it asks you to download and run a third‑party installer and sign in to an external service. Before installing: (1) Inspect https://cli.inference.sh manually — don't run curl | sh without reading the script. (2) Prefer downloading the binary and verifying SHA-256 checksums yourself using the provided checksums URL. (3) Understand what credentials 'infsh login' will store and where (API tokens, config files). (4) If you have concerns, run the installer in an isolated environment (VM/container) or skip installing and use alternative vetted image-generation tooling. If you want a firmer assessment, provide the actual install script (cli.inference.sh) and any documentation about the login/auth flow so we can inspect exactly what gets executed and what credentials are created/stored.

Like a lobster shell, security has layers — review code before you run it.

latestvk9710nxy4m8cts1mtz4h1n0mbn81y2wc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments