ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nano Banana Pro

v1.0.5

Use Nano Banana 2 (Gemini 3.1 Flash Image), the newest image model focused on faster iteration, lower cost, and strong quality. Published 2026-02-26 as the l...

0· 288·0 current·0 all-time
bywegoagain@wegoagain-dev·fork of @steipete/nano-banana-pro (1.0.1)
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, SKILL.md, and the included Python script all describe image generation/editing via Google's Gemini (gemini-3.1-flash-image-preview) and use google.genai + Pillow to call the API and save PNGs — this is coherent with the stated purpose. However, the registry metadata lists no required env vars or binaries while the SKILL.md and script clearly require an API key (GEMINI_API_KEY or --api-key) and the 'uv' runtime, so the metadata under-declares what the skill needs.
!
Instruction Scope
SKILL.md instructs running the included script via 'uv run ~/.codex/skills/nano-banana-pro/scripts/generate_image.py' and explicitly requires 'uv' to exist and an API key be provided. The script enforces an API key and reads input image files from user-specified paths. That behavior is appropriate for the skill, but SKILL.md also requires running from the user's current working directory (a reasonable user instruction) and expects an absolute path invocation — these operational requirements are fine, but they are not declared in the package metadata. The instructions are specific rather than overly broad, but the mismatch between declared and actual requirements is a concern.
Install Mechanism
There is no install specification (instruction-only install), which reduces installer risk. The included script lists dependencies in comments (google-genai, pillow) but does not provide an installation step; users must ensure those packages are installed. Lack of an install spec is not malicious but is an operational omission that could lead users to run the script without necessary dependencies.
!
Credentials
The script legitimately requires a single GEMINI_API_KEY (or --api-key) to call Google's genai API — that is proportionate to the purpose. However, the skill's registry metadata declares no required environment variables or primary credential, which contradicts SKILL.md/script. This under-reporting of a credential requirement (and the absence of any declared primaryEnv) is a noteworthy inconsistency. Also the repository metadata in _meta.json (owner 'steipete' and slug 'nano-banana-pro') doesn't match the registry owner/slug shown in the skill manifest, increasing provenance concerns.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges: always is false and disable-model-invocation is default. It does not modify other skills or system-wide config. Its behavior is limited to using an API key to call an external model and writing image files to the working directory.
What to consider before installing
This skill appears to do what it claims (generate/edit images using Gemini), but there are several inconsistencies you should resolve before installing or running it: - Metadata mismatch: The registry manifest says no required env vars or binaries, but SKILL.md and the script require an API key (GEMINI_API_KEY or --api-key) and the 'uv' runtime. Treat the GEMINI_API_KEY as required. - Provenance: The skill's _meta.json owner/slug differ from the registry owner/slug and the source is 'unknown' with no homepage — verify the author's identity (and prefer official sources) before trusting API keys. - Dependencies: The script expects google-genai and Pillow but provides no install step. Run in an isolated environment (container or VM) and install dependencies from trusted package registries before running. - Least privilege: Use a dedicated, limited Gemini API key or account (not a production key) and monitor usage/quota. Do not share high-privilege credentials with untrusted code. - Verify runtime: Ensure the 'uv' runner invoked in SKILL.md is the intended tool on your system; if unfamiliar, inspect how 'uv run' executes user scripts. If the publisher updates the registry metadata to declare GEMINI_API_KEY and 'uv' as requirements, and the owner/slug provenance is reconciled (or the source is a trusted repo), this would increase confidence. If you cannot confirm the source or provenance, treat the package as untrusted and test only in isolated environments.

Like a lobster shell, security has layers — review code before you run it.

latestvk9772rg797vtcs8g4t4n1g8ywd82yqd3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Nano Banana 2 (Gemini 3.1 Flash Image) - Faster, lower-cost image generation & editing

Generate new images or edit existing ones using Nano Banana 2 (gemini-3.1-flash-image-preview), Google’s newer image family that targets faster iterative generation and stronger price/performance balance while staying in the same image-editing workflow.

Why Nano Banana 2 (Gemini 3.1 Flash Image)

  • Newer release path: Gemini 3.1 Flash Image is documented as the 26 Feb 2026 Flash-image family release (vs. Nano Banana Pro’s 20 Nov 2025 release date for image preview).
  • Faster iteration: Google docs position Gemini 3.1 Flash Image as optimized for image understanding/generation with a balance of price and performance.
  • Cost focus: It is marketed for lower-cost, faster iterative image generation workflows compared with older Pro-first quality-first defaults.
  • Strong baseline quality: It remains suitable for professional generation/editing and supports multi-image editing/multi-turn workflows in the same API flow.

Use this as the default for drafts and quick turns; use higher-cost variants when you need a specific quality edge on a non-time-critical final pass.

Usage

Run the script using absolute path (do NOT cd to skill directory first):

Generate new image:

uv run ~/.codex/skills/nano-banana-pro/scripts/generate_image.py --prompt "your image description" --filename "output-name.png" [--resolution 1K|2K|4K] [--api-key KEY]

Edit existing image:

uv run ~/.codex/skills/nano-banana-pro/scripts/generate_image.py --prompt "editing instructions" --filename "output-name.png" --input-image "path/to/input.png" [--resolution 1K|2K|4K] [--api-key KEY]

Important: Always run from the user's current working directory so images are saved where the user is working, not in the skill directory.

Default Workflow (draft → iterate → final)

Goal: fast iteration without burning time on 4K until the prompt is correct.

  • Draft (1K): quick feedback loop
    • uv run ~/.codex/skills/nano-banana-pro/scripts/generate_image.py --prompt "<draft prompt>" --filename "yyyy-mm-dd-hh-mm-ss-draft.png" --resolution 1K
  • Iterate: adjust prompt in small diffs; keep filename new per run
    • If editing: keep the same --input-image for every iteration until you’re happy.
  • Final (4K): only when prompt is locked
    • uv run ~/.codex/skills/nano-banana-pro/scripts/generate_image.py --prompt "<final prompt>" --filename "yyyy-mm-dd-hh-mm-ss-final.png" --resolution 4K

Resolution Options

The Nano Banana 2 / Gemini 3.1 Flash Image API supports three resolutions (uppercase K required):

  • 1K (default) - ~1024px resolution
  • 2K - ~2048px resolution
  • 4K - ~4096px resolution

Map user requests to API parameters:

  • No mention of resolution → 1K
  • "low resolution", "1080", "1080p", "1K" → 1K
  • "2K", "2048", "normal", "medium resolution" → 2K
  • "high resolution", "high-res", "hi-res", "4K", "ultra" → 4K

API Key

The script checks for API key in this order:

  1. --api-key argument (use if user provided key in chat)
  2. GEMINI_API_KEY environment variable

If neither is available, the script exits with an error message.

Preflight + Common Failures (fast fixes)

  • Preflight:

    • command -v uv (must exist)
    • test -n \"$GEMINI_API_KEY\" (or pass --api-key)
    • If editing: test -f \"path/to/input.png\"

  • Common failures:

    • Error: No API key provided. → set GEMINI_API_KEY or pass --api-key
    • Error loading input image: → wrong path / unreadable file; verify --input-image points to a real image
    • “quota/permission/403” style API errors → wrong key, no access, or quota exceeded; try a different key/account

Filename Generation

Generate filenames with the pattern: yyyy-mm-dd-hh-mm-ss-name.png

Format: {timestamp}-{descriptive-name}.png

  • Timestamp: Current date/time in format yyyy-mm-dd-hh-mm-ss (24-hour format)
  • Name: Descriptive lowercase text with hyphens
  • Keep the descriptive part concise (1-5 words typically)
  • Use context from user's prompt or conversation
  • If unclear, use random identifier (e.g., x9k2, a7b3)

Examples:

  • Prompt "A serene Japanese garden" → 2025-11-23-14-23-05-japanese-garden.png
  • Prompt "sunset over mountains" → 2025-11-23-15-30-12-sunset-mountains.png
  • Prompt "create an image of a robot" → 2025-11-23-16-45-33-robot.png
  • Unclear context → 2025-11-23-17-12-48-x9k2.png

Image Editing

When the user wants to modify an existing image:

  1. Check if they provide an image path or reference an image in the current directory
  2. Use --input-image parameter with the path to the image
  3. The prompt should contain editing instructions (e.g., "make the sky more dramatic", "remove the person", "change to cartoon style")
  4. Common editing tasks: add/remove elements, change style, adjust colors, blur background, etc.

Prompt Handling

For generation: Pass user's image description as-is to --prompt. Only rework if clearly insufficient.

For editing: Pass editing instructions in --prompt (e.g., "add a rainbow in the sky", "make it look like a watercolor painting")

Preserve user's creative intent in both cases.

Prompt Templates (high hit-rate)

Use templates when the user is vague or when edits must be precise.

  • Generation template:

    • “Create an image of: <subject>. Style: <style>. Composition: <camera/shot>. Lighting: <lighting>. Background: <background>. Color palette: <palette>. Avoid: <list>.”

  • Editing template (preserve everything else):

    • “Change ONLY: <single change>. Keep identical: subject, composition/crop, pose, lighting, color palette, background, text, and overall style. Do not add new objects. If text exists, keep it unchanged.”

Output

  • Saves PNG to current directory (or specified path if filename includes directory)
  • Script outputs the full path to the generated image
  • Do not read the image back - just inform the user of the saved path

Examples

Generate new image:

uv run ~/.codex/skills/nano-banana-pro/scripts/generate_image.py --prompt "A serene Japanese garden with cherry blossoms" --filename "2025-11-23-14-23-05-japanese-garden.png" --resolution 4K

Edit existing image:

uv run ~/.codex/skills/nano-banana-pro/scripts/generate_image.py --prompt "make the sky more dramatic with storm clouds" --filename "2025-11-23-14-25-30-dramatic-sky.png" --input-image "original-photo.jpg" --resolution 2K

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…