ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nano Banana Openrouter

Generate images with Google's Nano Banana Gemini 2.5 Flash Image model via OpenRouter API using text prompts.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 305 · 0 current installs · 0 all-time installs
by@fyi0329-pixel
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description claim image generation via OpenRouter, which matches the code that POSTs to https://openrouter.ai. However metadata declares no required env vars, while SKILL.md and index.ts both expect OPENROUTER_API_KEY (with GEMINI_API_KEY as a fallback). The manifest/metadata omission is an incoherence that hides the need for credentials.
!
Instruction Scope
SKILL.md usage and model choices are scoped to image generation. But the repository includes extra runtime/test files that broaden scope: test-gen.mjs contains a network call with a hard-coded API key, save-img.mjs reads output.json and writes files, and output.json contains a very large base64 image. Those artifacts increase risk (credential leakage, accidental execution, and large embedded binary data) beyond the SKILL.md instructions.
Install Mechanism
No formal install spec (instruction-only) which is low-risk. The package.json/package-lock present indicate node-fetch is a dependency — reasonable for fetch-based code. package-lock references the 'npmmirror.com' registry mirror instead of the default npm registry; atypical but not automatically malicious.
!
Credentials
The skill requires an OpenRouter API key to operate (SKILL.md explicitly asks to set OPENROUTER_API_KEY and index.ts reads it), but the registered requirements list none — mismatch. Worse: test-gen.mjs contains a hard-coded API key literal (sk-or-v1-46da90…); including a plaintext credential in the bundle is a serious security issue and indicates either careless handling of secrets or leaked credentials.
Persistence & Privilege
No 'always: true' or persistent privileged behavior. SKILL.md asks the user to add the key to openclaw.json (normal for service integrations). The skill does not request system-wide config changes or modify other skills.
Scan Findings in Context
[base64-block] unexpected: The pre-scan detected a base64 block pattern. The bundle includes output.json containing a very large base64-encoded image; storing large base64 blobs in the skill package is unnecessary and could be used to smuggle data (here it appears to be an example image).
[hardcoded-api-key] unexpected: Repository files contain a hard-coded OpenRouter API key in test-gen.mjs. This is not required for the skill to function (the code should read the key from environment/config) and is a sensitive secret that must be removed and rotated.
What to consider before installing
Do not install or run this skill as-is. At minimum: (1) Remove the test file containing the hard-coded API key (test-gen.mjs) and rotate any exposed key immediately; treat it as compromised. (2) Remove or reduce embedded large base64 blobs (output.json) from the package (store examples elsewhere). (3) Update the skill metadata to declare required environment variables (OPENROUTER_API_KEY) so installers know a credential is needed. (4) Prefer removing test/demo network calls from the distributed bundle. (5) Verify the npm package sources (npmmirror entries) if you will npm install — use trusted registries. After these fixes, re-audit and only then consider installing. If you already used the exposed key anywhere, rotate it now.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97eqzsvwb6vewz3kqf0n0xsk58214vx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Nano Banana OpenRouter Skill

Generate images using Google's Nano Banana (Gemini 2.5 Flash Image) models via OpenRouter API.

Configuration

Add the following to your openclaw.json (or set the env var OPENROUTER_API_KEY):

{
  "skills": {
    "entries": {
      "nano-banana-openrouter": {
        "enabled": true,
        "config": {
          "apiKey": "sk-or-v1-..."  
        },
        "env": {
          "OPENROUTER_API_KEY": "sk-or-v1-..."
        }
      }
    }
  }
}

Usage

Tool Name: nano_banana_generate

Examples:

  • "Generate a cyberpunk dragon using Nano Banana."
  • "Draw a landscape in 16:9 aspect ratio."
  • "Use the preview model to generate a logo for a coffee shop."

Models

  • Default: google/gemini-2.0-flash-exp:free (Free tier, robust text/code, experimental image support)
  • High Quality: google/gemini-2.5-flash-image-preview (The specific "Nano Banana" image model, paid/credits required)

Notes

  • OpenRouter requires the HTTP-Referer and X-Title headers (included in this skill).
  • modalities: ["image"] is sent automatically.

Files

8 total
Select a file
Select a file to preview.

Comments

Loading comments…