ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nano Gpt

Use when tasks need the NanoGPT API for text, image, or video generation through the local `nano-gpt` CLI and bundled wrapper scripts for OpenClaw or ClawHub...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 193 · 0 current installs · 0 all-time installs
by@icework
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required env var (NANO_GPT_API_KEY), and included code (CLI invoking NanoGPT endpoints, image/video handling) are consistent. Optional env overrides and per-user config are expected for a CLI wrapper. No unrelated credentials or surprising binaries are requested.
Instruction Scope
SKILL.md instructs the agent to use the bundled wrapper scripts and to only upload local media when explicitly provided — which matches the code (image/video inputs are read only when paths are given). It also tells the user to run npm install / build or npm install -g nano-gpt-cli if the CLI isn't present; those steps will pull and run code and should be executed intentionally. A prompt-injection pattern was flagged in SKILL.md metadata (default prompt / system override); the agent's default_prompt is a normal skill field but you should review it to ensure it doesn't change system behavior unexpectedly.
Install Mechanism
There is no automated install spec in the registry entry; the SKILL.md suggests normal npm-based installs (local build or npm install -g). No downloads from personal servers, shorteners, or IP addresses are present; package.json and source files look standard. Installing the published npm package is the only non-local step and is expected for a CLI.
Credentials
Only one required secret (NANO_GPT_API_KEY) is declared as the primary credential; optional NANO_GPT_* env vars are reasonable for model/base-url overrides. The code reads and stores per-user config (api-key) in the user config directory if you call 'nano-gpt config set api-key', which is documented and expected.
Persistence & Privilege
Always:false and user-invocable:true (normal). The skill may write its own per-user config (config.json in the user's nano-gpt-cli config dir) when asked to store the API key — this is expected behavior for a CLI and does not modify other skills or global agent settings.
Scan Findings in Context
[system-prompt-override] expected: The SKILL.md / agents/openai.yaml includes a default_prompt field to tell the agent how to use the skill. The regex-based detector flagged this pattern as a potential system-prompt override. In this repository the default_prompt appears to be a legitimate skill instruction (telling the agent when to use NanoGPT), but you should inspect the prompt text to ensure it doesn't attempt to surreptitiously change system-level behavior beyond the skill's scope.
Assessment
This skill appears coherent with its stated purpose: it wraps a NanoGPT CLI and only asks for the NanoGPT API key. Before installing or running: 1) Verify the API base URL (NANO_GPT_BASE_URL) if you have concerns about where data is sent (defaults to https://nano-gpt.com). 2) Only run npm install/build or npm install -g if you trust the package source; installing the published npm package will execute third-party code. 3) The CLI will read and transmit any local images/videos you explicitly provide — do not pass sensitive files unless you intend to upload them. 4) The SKILL.md contains a default prompt entry (flagged by an automated detector); review that text to ensure it doesn't try to override agent/system policies in unexpected ways. If you want stricter isolation, avoid running the global npm install and use the code only after manual review or in a sandbox.
!
cli/src/image-input.ts:1
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.2
Download zip
latestvk97bfeag2b4rq5030qzvrwhzas82qsv7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvNANO_GPT_API_KEY
Primary envNANO_GPT_API_KEY

SKILL.md

NanoGPT Skill

Use this skill when the task should run through the NanoGPT API from a local terminal environment. NanoGPT’s official docs describe it as an API for text, image, and video generation, with text generation generally matching OpenAI standards. This repository is the local CLI and skill wrapper for that API, not a generic prompt helper. Prefer the bundled wrapper scripts in scripts/ so OpenClaw and direct CLI usage share the same behavior.

Official docs: https://docs.nano-gpt.com/

Prerequisite check

Before invoking the skill, ensure the CLI is available:

./scripts/models.sh --json

If that fails because the local CLI is not built yet:

npm install
npm run build

If the repo is not present locally, install the published CLI instead:

npm install -g nano-gpt-cli

Authentication is token-based. This skill requires a NanoGPT API token. Set the token in NANO_GPT_API_KEY:

export NANO_GPT_API_KEY=YOUR_NANO_GPT_TOKEN

Or configure it once and store it in the local nano-gpt-cli user config:

nano-gpt config set api-key YOUR_API_KEY

Optional environment overrides:

export NANO_GPT_MODEL=moonshotai/kimi-k2.5
export NANO_GPT_IMAGE_MODEL=qwen-image
export NANO_GPT_VIDEO_MODEL=kling-video-v2
export NANO_GPT_BASE_URL=https://nano-gpt.com
export NANO_GPT_OUTPUT_FORMAT=text

Quick start

Text prompt:

./scripts/prompt.sh "Summarize the latest build logs."

Streaming multimodal prompt:

./scripts/prompt.sh "Describe this image." --image ./assets/example.png

Interactive chat:

./scripts/chat.sh

Image generation:

./scripts/image.sh "A cinematic product shot of a silver mechanical keyboard" --output output/keyboard.png

Image-to-image generation:

./scripts/image.sh "Turn this product photo into a watercolor ad" --image ./assets/product.png --output output/product-watercolor.png

Video generation:

./scripts/video.sh "A cinematic drone flyover of a neon coastal city at dusk" --duration 5 --output output/neon-city.mp4

Workflow

  1. Use scripts/prompt.sh for one-shot text or vision prompts.
  2. Use scripts/chat.sh for iterative back-and-forth.
  3. Use scripts/image.sh for text-to-image or image-to-image generation.
  4. Use scripts/video.sh for text-to-video or image-to-video generation.
  5. Use nano-gpt video-status REQUEST_ID when a video run is asynchronous and needs a later status check.
  6. Use scripts/models.sh --json when model discovery matters.
  7. Prefer flags over editing scripts. The wrappers should stay thin.

References

Open only what you need:

  • Command reference: references/cli.md
  • Common OpenClaw workflows: references/workflows.md

Guardrails

  • Prefer the wrapper scripts over calling NanoGPT HTTP APIs directly.
  • Only use this skill when the user wants to call the NanoGPT API.
  • Keep secrets out of prompts and logs; use config or env vars for API keys.
  • Only upload local images or videos when the user explicitly provides the path or clearly asks to use that specific file.
  • Do not search the filesystem for media to upload.
  • Treat local --image and --video inputs as remote-upload actions. Do not send sensitive screenshots, exports, documents, or recordings unless the user explicitly requests it.
  • Prompts and any provided media are sent to the configured NanoGPT API endpoint, which defaults to https://nano-gpt.com.
  • Use --json when another tool or agent will parse the output.
  • Use --output on scripts/image.sh when a file artifact is required.
  • Use --output on scripts/video.sh when the final MP4 should be written locally.

Files

31 total
Select a file
Select a file to preview.

Comments

Loading comments…