ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nano Img Cli

v1.0.1

Drives the local nano-img Gemini image CLI for image generation, model selection, saved defaults, reference-image workflows, and output sizing or format conv...

0· 0·0 current·0 all-time
byDishant Sharma@dishant0406
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: this is an instruction-only helper for the local nano-img / nano-image CLI and for managing ~/.nano-img defaults. Asking the agent to read and run local CLI commands is consistent with that purpose.
!
Instruction Scope
SKILL.md instructs the agent to inspect and modify files under ~/.nano-img, run CLI commands, and rely on upstream Gemini behavior. Troubleshooting explicitly tells the user to verify NANO_IMAGE_API_KEY is set and to inspect API error messages — the instructions therefore expect access to local home files and to networked API calls, but those dependencies are not declared.
Install Mechanism
No install spec (instruction-only) — lowest-risk delivery. The skill prefers installed binaries or repo-local npm scripts but doesn't pull code or download artifacts itself.
!
Credentials
Requires.env is empty in metadata, but documentation/troubleshooting reference NANO_IMAGE_API_KEY and upstream Gemini API failures. This is an undeclared secret requirement (and thus an incoherence): the skill may need an API key to list models or generate images even though no credential is advertised.
Persistence & Privilege
always is false and the skill is user-invocable. agents/openai.yaml permits implicit invocation which is normal; nothing requests permanent elevated privilege or configuration changes to other skills.
What to consider before installing
This skill is mostly a wrapper around a local CLI and local ~/.nano-img files, which is plausible. However: (1) the docs reference NANO_IMAGE_API_KEY and upstream Gemini API calls while the skill metadata lists no required env vars — confirm whether you must supply an API key before using it. (2) Verify where the nano-img/nanobana binaries come from (npm package name 'nanobana') and whether you trust that source before installing or running commands. (3) Review the contents of ~/.nano-img for any sensitive data before allowing the agent to read or modify those files. (4) If you want lower risk, run the CLI in an isolated environment (container or VM) or require the skill metadata to explicitly declare required env vars (e.g., NANO_IMAGE_API_KEY) and provide an audit of network endpoints used. If the author updates metadata to declare the API key requirement (or removes references to it), this assessment would likely move to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aby5x6j8ste2xy3eh3vexa984qknv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments