ClawHub

nano-banana2

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed third-party image-generation helper with optional API-key storage, not hidden or destructive behavior.

Install only if you trust agent.mathmind.cn/kexiangai.com with your prompts, reference image URLs, and API key. Prefer a session-scoped X_API_KEY over saving the key on disk; if you use the saved-key option, rotate or delete ~/.config/nano-banana2/.env when you no longer need it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

External Transmission

Medium
Category
Data Exfiltration
Content
- **单轮对话只允许调用 imgEditNB2 一次,绝不多次调用**
- **绝对禁止:不要因为结果慢就杀死进程重新发起请求**
- **这个 API 生成时间较长(可能需要5-10分钟),请耐心等待结果返回,不要中断或重试**
- 设置超时:curl 命令必须带 `-m 600`(10分钟超时),超时后报告失败,不要重试
- 禁止自动循环重试;任何重试都必须先向用户说明成本风险并获得明确同意。
- 同一组参数在同一轮对话中不得重复提交。
Confidence
89% confidence
Finding
curl 命令必须带 `-m 600`(10分钟超时),超时后报告失败,不要重试 - 禁止自动循环重试;任何重试都必须先向用户说明成本风险并获得明确同意。 - 同一组参数在同一轮对话中不得重复提交。 ## 何时使用 - 用户只有文字提示词,想直接生成图片 - 用户提供参考图 URL,想做图生图 - 用户需要指定画幅比例和分辨率档位(1K/2K/4K) 触发短语示例(含同义表达): - "帮

External Transmission

Medium
Category
Data Exfiltration
Content
export X_API_KEY='你的x-api-key'

# 3) 仅提示词生成
curl --location 'https://agent.mathmind.cn/minimalist/api/imgEditNB2' \
--header 'Content-Type: application/json' \
--header "x-api-key: $X_API_KEY" \
--data '{"urls":[],"prompt":"一只猫咪在玩耍","aspectRatio":"auto","imageSize":"1K"}'
Confidence
92% confidence
Finding
curl --location 'https://agent.mathmind.cn/minimalist/api/imgEditNB2' \ --header 'Content-Type: application/json' \ --header "x-api-key: $X_API_KEY" \ --data '{"urls":[],"prompt":"一只猫咪在玩耍","aspectRati

Credential Access

High
Category
Privilege Escalation
Content
secrets:
    primary: "X_API_KEY"
  storage:
    optional: ["~/.config/nano-banana2/.env (only when user explicitly enables --use-local-key)"]
---

## 安全声明(ClawHub 扫描友好)
Confidence
94% confidence
Finding
.env

Session Persistence

Medium
Category
Rogue Agent
Content
### 首次配置(只需一次)

```bash
mkdir -p ~/.config/nano-banana2
cat > ~/.config/nano-banana2/.env << 'EOF'
X_API_KEY=你的x-api-key
EOF
Confidence
91% confidence
Finding
mkdir -p ~/.config/nano-banana2 cat > ~/.config/nano-banana2/.env << 'EOF' X_API_KEY=你的x-api-key EOF chmod 600 ~/.config/nano-banana2/.env ``` ### 后续自动加载 ```bash # 推荐:优先使用会话环境变量 export X_API_KEY='你的

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal