ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wavespeed Nanobanana2

v1.0.3

调用Wavespeed AI的NanoBanana-2模型实现文生图、图生图的专业图像创作技能

0· 439·2 current·2 all-time
by@reroc8
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description and most files indicate a text→image skill for Wavespeed and the code actually calls a Wavespeed API endpoint — this is coherent. However SKILL.md advertises parameters (resolution, output_format) that index.js does not implement, and the registry metadata incorrectly lists "Required env vars: none" despite the skill requiring WAVESPEED_API_KEY.
!
Instruction Scope
SKILL.md is scoped to generating images and using WAVESPEED_API_KEY. The index.js file, however, contains a top-level immediately-invoked test block that will execute when the module is loaded, performing an API call using a hardcoded API key and logging results. That means simply loading/installing the skill triggers network activity and use of an embedded credential — outside the normal runtime use described in SKILL.md.
Install Mechanism
There is no install spec (instruction-only is lower risk), but the package contains code files (index.js and package.json with axios) so installing or loading will write/execute code. The included dependencies are normal (axios) and pulled from npm; no remote downloads or unusual install hosts are present.
!
Credentials
The skill correctly requires WAVESPEED_API_KEY for the API, which is proportionate. But the package includes a hardcoded API key inside index.js testContext — this is a sensitive secret embedded in source. Also registry metadata claims no required env vars while SKILL.md and skill.json list WAVESPEED_API_KEY, an inconsistency worth resolving.
Persistence & Privilege
The skill does not request always:true and does not declare elevated platform-wide privileges. Permissions list network access which matches its purpose. The main concern is the load-time test behavior, not persistence/privilege escalation.
What to consider before installing
Do not install or enable this skill until the issues are fixed. Specific actions to take or request from the author: - Remove the top-level test block (the anonymous async function at the end of index.js). That code runs on module load and triggers an outbound API call immediately. - Remove any hardcoded API key from the repository. If the embedded key is real, revoke it immediately (treat it as compromised). - Fix registry metadata and SKILL.md to consistently declare WAVESPEED_API_KEY as a required environment variable. - Implement or document the advertised parameters (resolution, output_format) or update SKILL.md to match the actual behavior. - Replace the malformed skill.json (which contains a shell echo command) with a proper JSON file — shipping a shell command as the skill manifest is suspicious and could modify user files if executed by a maintainer script. - After the author provides a cleaned version, review that no secrets remain in code and that no code runs network calls on import; run the skill in an isolated environment first to confirm behavior and any billing implications. If you cannot get a corrected package, treat this skill as untrusted because of embedded secrets and load-time network activity.

Like a lobster shell, security has layers — review code before you run it.

latestvk977fb9jj6bh6d5m11cjb8yb0h82bkn8
439downloads
0stars
4versions
Updated 11h ago
v1.0.3
MIT-0
@reroc8
latest
Download

Wavespeed NanoBanana2 Text-to-Image Skill

Overview

This skill enables text-to-image generation using the Wavespeed AI NanoBanana2 API. It allows you to generate high-quality images from textual descriptions with various resolution options.

Features

  • Generate images from text prompts
  • Support for multiple resolutions (1k, 2k, 4k)
  • Multiple output formats (PNG, JPG, WebP)
  • Environment variable-based authentication
  • Error handling and validation

Prerequisites

  1. A valid Wavespeed AI API key
  2. The API key must be set in the WAVESPEED_API_KEY environment variable

Installation

  1. Place this skill in your OpenClaw skills directory: ~/.openclaw/workspace/skills/
  2. Set the WAVESPEED_API_KEY environment variable with your Wavespeed API key
  3. Register the skill through the OpenClaw management interface

Usage

Basic Usage

{
  "skill": "wavespeed-nanobanana2",
  "parameters": {
    "prompt": "A beautiful landscape with mountains and a lake"
  }
}

With Custom Resolution

{
  "skill": "wavespeed-nanobanana2",
  "parameters": {
    "prompt": "A futuristic city skyline at night",
    "resolution": "2k"
  }
}

With Custom Output Format

{
  "skill": "wavespeed-nanobanana2",
  "parameters": {
    "prompt": "A cute dog wearing a sweater",
    "resolution": "1k",
    "output_format": "jpg"
  }
}

Parameters

ParameterTypeRequiredDefaultDescription
promptStringYes-Text description of the image to generate
resolutionStringNo"1k"Image resolution (1k, 2k, or 4k)
output_formatStringNo"png"Output image format (png, jpg, or webp)

Environment Variables

  • WAVESPEED_API_KEY (required): Your Wavespeed AI API key for authentication

Error Handling

The skill includes comprehensive error handling for:

  • Missing required parameters
  • Missing or invalid API key
  • API request failures
  • HTTP error responses

Notes

  • Image generation may take several seconds depending on the resolution
  • The API has rate limits - check Wavespeed AI documentation for details
  • High-resolution images (2k, 4k) may consume more credits

API Reference

For more details about the Wavespeed NanoBanana2 API, see: Wavespeed AI API Documentation

Comments

Loading comments...