ClawHub

sudocode-nano-banana2

Security checks across malware telemetry and agentic risk

Overview

The skill appears coherent for remote image generation, but users should know it requires a Sudocode API key and sends prompts or optional images to a configured remote service.

This skill looks appropriate for its stated purpose. Before installing, make sure you are comfortable registering for Sudocode, storing an API key in `~/.openclaw/.env`, and sending prompts or selected images to the configured Sudocode endpoint. Keep the default endpoint unless you trust an alternate `SUDOCODE_BASE_URL`.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

You must provide a Sudocode API key, and that key will be stored locally if you use the initializer.

Why it was flagged

The skill requires and can persist a service credential. This is expected for a Sudocode API client, but it gives the skill access to the user's Sudocode account/API quota.

Skill content
`SUDOCODE_IMAGE_API_KEY`: required API key ... The initializer writes these values into `~/.openclaw/.env`
Recommendation

Use this only on trusted machines, protect `~/.openclaw/.env`, and use a dedicated or revocable API key if Sudocode supports it.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Private prompts or images provided to the skill may be sent to the configured remote service.

Why it was flagged

The skill explicitly transmits user prompts and any selected local image to a remote provider endpoint. This is central to the image-generation purpose, but users should treat uploaded images/prompts as data shared with that service.

Skill content
It sends prompts and optional input images to the configured Sudocode endpoint
Recommendation

Do not use sensitive images or prompts unless you trust the configured Sudocode endpoint and its data handling.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

A missing dependency may be installed from the package ecosystem before use.

Why it was flagged

The dependency installation is user-directed and expected for the Python API client, but it is unpinned and depends on the user's package index/provenance.

Skill content
If `requests` is missing, install it with: `uv pip install requests`
Recommendation

Install dependencies from trusted package indexes and consider pinning or reviewing dependency versions in managed environments.