Nano banana
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: nano-banana-v3 Version: 3.0.0 The skill bundle is benign. The `SKILL.md` provides clear, non-malicious instructions for the AI agent on how to use the image generation script, including security-conscious advice like 'Do not read the image back'. The `generate_image.py` script uses standard libraries (`google-genai`, `pillow`), securely handles API keys from arguments or environment variables, and saves generated images to a user-specified filename in the current working directory. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could run a different local script than the one reviewed here, and that script would receive prompts, file paths, and possibly the user's Gemini API key.
The documented command hard-codes a Codex skill path named nano-banana-pro, while the supplied registry item is nano-banana-v3 and _meta.json reports different owner/slug/version values. That makes the executed script's provenance ambiguous.
uv run ~/.codex/skills/nano-banana-pro/scripts/generate_image.py --prompt ...
Fix the slug/path/metadata mismatch and invoke the reviewed script via the installed skill's actual path before providing credentials or image files.
Running the skill may install or use versions of google-genai and pillow selected at runtime.
The script relies on uv-style inline dependencies with lower-bound version constraints and no lockfile in the supplied artifacts. This is common for script-based tools, but it means package resolution is not fully pinned.
dependencies = [ # "google-genai>=1.0.0", # "pillow>=10.0.0", # ]
Prefer a lockfile or pinned dependency versions if reproducibility is important.
Using the skill gives the script access to the user's Gemini API quota/account for image generation.
A Gemini API key is expected for this provider integration, but the registry metadata declares no primary credential or required environment variable.
The script checks for API key in this order: 1. `--api-key` argument ... 2. `GEMINI_API_KEY` environment variable
Use a scoped Gemini key where possible, prefer an environment variable over pasting keys in chat, and revoke the key if it is exposed.
Private or sensitive images selected for editing will be transmitted to Google for processing.
For image edits, the selected local image and prompt are sent to Google's Gemini API. This is disclosed and aligned with the image-editing purpose.
contents = [input_image, args.prompt] ... response = client.models.generate_content(
Only provide images and prompts you are comfortable sending to the Gemini API.
A poorly chosen filename could create directories or overwrite an existing file.
The script writes output to the supplied filename and creates parent directories. SKILL.md discloses this behavior, and it is central to saving generated images, but it can affect arbitrary paths the user or agent supplies.
output_path = Path(args.filename) output_path.parent.mkdir(parents=True, exist_ok=True)
Use unique filenames in the current working directory unless you intentionally want to write elsewhere.