ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nano Banana Image Skills

v1.0.0

Generate images using Google Gemini models (Nano Banana 2 / gemini-3-pro-image-preview). Use when the user asks to create, generate, or make an image, pictur...

0· 12·0 current·0 all-time
by@0n1onr1ng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, README, SKILL.md and the two scripts all implement an image-generation workflow against the Wisdom Gate (wisgate.ai) API (text→image and image→image). There are no unrelated API keys or unrelated binaries requested; the required functionality (upload input images, call external image-generation API, save outputs and conversation history) is consistent with the stated purpose.
Instruction Scope
Runtime instructions and scripts instruct the agent to call https://api.wisgate.ai and to read input image files and write outputs and a conversation.json history file. This scope is expected for a multi-turn image generator, but the SKILL.md contains a truncated/typo'd workflow line referencing a different env var name (WISDOM_GATE_KEY) which could cause confusion. The scripts only access local input/output files and the conversation history; they do not attempt to read unrelated system paths.
Install Mechanism
No install spec is provided (instruction-only install), and included Python scripts require only the requests library. There is no remote download of arbitrary archives or unusual install steps. Risk from installation is low, but the code will run network calls when invoked.
!
Credentials
The scripts and SKILL.md require a Wisdom Gate API key (environment variable referenced as WISGATE_KEY), which is proportionate to the purpose. However, the registry metadata claims no required env vars, and the SKILL.md and README contain inconsistent/typo'd references (WISGATE_KEY vs WISDOM_GATE_KEY). The mismatch between declared metadata and actual code means an API key will be needed at runtime even though the registry advertises none—this is an incoherence that could lead to accidental key exposure or confusion.
Persistence & Privilege
The skill does not request permanent platform presence (always: false) and does not modify other skills or system-wide agent settings. It writes conversation history (conversation.json) and image output files to the working directory, which is expected for multi-turn refinement and not an elevated privilege request.
What to consider before installing
This skill appears to implement the advertised image-generation functionality, but confirm the following before installing or running it: - An API key is required at runtime: the scripts expect WISGATE_KEY (SKILL.md/README mention this), but the registry metadata does not declare any required environment variables. Ask the publisher to correct the registry metadata or declare the env var so you know a secret is needed. - There is a minor typo/inconsistency in the SKILL.md (references to WISDOM_GATE_KEY in one place). Make sure you set the correct variable (WISGATE_KEY) and avoid accidentally pasting your key into the wrong place. - The scripts call https://api.wisgate.ai and will send input images and prompts to that external service; only provide images and prompts you are comfortable being transmitted to that API. Review Wisgate's privacy/security policy if you will upload sensitive images. - The skill saves conversation history to conversation.json in the working directory and writes generated images to disk. If this is sensitive data, run the scripts in a controlled/sandbox directory or delete the history file after use. - Because the registry metadata and SKILL.md disagree about required credentials, request clarification from the owner (or inspect the code yourself, which you can: both scripts are included) before granting any API key. If you trust the Wisdom Gate service and are comfortable storing an API key as an env var, the skill is functionally coherent; the main issue is the metadata/documentation mismatch which should be fixed.

Like a lobster shell, security has layers — review code before you run it.

latestvk975a8krppx2ea878zp5c87nr184h4wv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments