ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

nanobanana-openrouter

v1.1.1

Generate/edit images with Nano Banana Pro (Gemini 3 Pro Image) via OpenRouter. Use for image create/modify requests incl. edits. Supports text-to-image + ima...

0· 82·0 current·0 all-time
bychang@liberalchang

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for liberalchang/nanobanana-openrouter.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "nanobanana-openrouter" (liberalchang/nanobanana-openrouter) from ClawHub.
Skill page: https://clawhub.ai/liberalchang/nanobanana-openrouter
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install nanobanana-openrouter

ClawHub CLI

Package manager switcher

npx clawhub@latest install nanobanana-openrouter
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match the included code (calls OpenRouter to generate/edit images). However the registry metadata declares no required environment variables or binaries while the SKILL.md and scripts require an OpenRouter API key (OPENROUTER_KEY) and the 'uv' runner. That mismatch is incoherent: a user or integrator would reasonably expect OPENROUTER_KEY to be declared as a required credential and 'uv' as a required binary.
!
Instruction Scope
SKILL.md instructs the agent to run the provided scripts for generation and edits, which is consistent. But the scripts convert any provided input image to a base64 data URL and POST it to openrouter.ai — meaning arbitrary local files supplied as --input-image will be uploaded to an external service. SKILL.md does not explicitly warn about uploading local files, and the code does not restrict which paths may be supplied.
Install Mechanism
This is instruction-plus-scripts only: there is no install spec or remote download. That minimizes supply-chain risk; dependencies are declared in script comments (requests, pillow) but nothing is fetched at install time by the skill bundle.
!
Credentials
The code requires an OpenRouter API key (OPENROUTER_KEY) or --api-key at runtime, but the skill metadata declares no required env vars and primary credential is 'none'. This is a clear mismatch. Requesting the single API key is proportional for this purpose, but it should be declared explicitly. No other credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request special platform privileges. It writes output images to a local output_images directory under the skill by default (or to a user-specified output-dir).
What to consider before installing
Before installing, be aware of three issues: (1) the skill actually requires an OpenRouter API key (OPENROUTER_KEY) and the 'uv' runner but the metadata does not declare them — ask the author to update the manifest so you know what credentials will be used; (2) the scripts will upload any file you point at with --input-image (it encodes the file as a data URL and sends it to openrouter.ai) — do not pass paths to sensitive local files; and (3) filenames are not sanitized against directory traversal (a crafted --filename or --output-dir could cause writes outside the skill folder). If you still want to use it, run it in a sandboxed environment, only provide a dedicated API key with limited quota/permissions, and request the author add explicit metadata and filename/path sanitization (reject '..' or absolute paths, enforce basename-only writes).

Like a lobster shell, security has layers — review code before you run it.

latestvk97emw0pq2vq4nb36enkq5hshx85020v
82downloads
0stars
2versions
Updated 1w ago
v1.1.1
MIT-0
chang@liberalchang
latest
Download

Nano Banana Pro Image Generation & Editing

Generate new images or edit existing ones using OpenRouter (model: google/gemini-3-pro-image-preview).

Usage

Run the script using absolute path:

Generate new image:

uv run /path/to/this/skill/scripts/generate_image.py --prompt "your image description" --filename "output-name.png" [--resolution 1K|2K|4K] [--api-key KEY]

Edit existing image:

uv run /path/to/this/skill/scripts/generate_image.py --prompt "editing instructions" --filename "output-name.png" --input-image "path/to/input.png" [--resolution 1K|2K|4K] [--api-key KEY]

Custom output directory:

uv run /path/to/this/skill/scripts/generate_image.py --prompt "your image description" --filename "output-name.png" --output-dir "/custom/path"

Output Location:

  • Default: Images are saved to ./output_images/ (relative to this skill's root directory)
  • Custom: Use --output-dir to specify a different directory
  • The script will create the output directory if it doesn't exist

Default Workflow (draft → iterate → final)

Goal: fast iteration without burning time on 4K until the prompt is correct.

  • Draft (1K): quick feedback loop
    • uv run /path/to/this/skill/scripts/generate_image.py --prompt "<draft prompt>" --filename "yyyy-mm-dd-hh-mm-ss-draft.png" --resolution 1K
  • Iterate: adjust prompt in small diffs; keep filename new per run
    • If editing: keep the same --input-image for every iteration until you’re happy.
  • Final (4K): only when prompt is locked
    • uv run /path/to/this/skill/scripts/generate_image.py --prompt "<final prompt>" --filename "yyyy-mm-dd-hh-mm-ss-final.png" --resolution 4K

Resolution Options

The OpenRouter API supports three resolutions (uppercase K required):

  • 1K (default) - ~1024px resolution
  • 2K - ~2048px resolution
  • 4K - ~4096px resolution

Map user requests to API parameters:

  • No mention of resolution → 1K
  • "low resolution", "1080", "1080p", "1K" → 1K
  • "2K", "2048", "normal", "medium resolution" → 2K
  • "high resolution", "high-res", "hi-res", "4K", "ultra" → 4K

API Key

The script checks for API key in this order:

  1. --api-key argument (use if user provided key in chat)
  2. OPENROUTER_KEY environment variable

If neither is available, the script exits with an error message.

Preflight + Common Failures (fast fixes)

  • Preflight:

    • command -v uv (must exist)
    • test -n \"$OPENROUTER_KEY\" (or pass --api-key)
    • If editing: test -f \"path/to/input.png\"

  • Common failures:

    • Error: No API key provided. → set OPENROUTER_KEY or pass --api-key
    • Error loading input image: → wrong path / unreadable file; verify --input-image points to a real image
    • “quota/permission/403” style API errors → wrong key, no access, or quota exceeded; try a different key/account

Filename Generation

Generate filenames with the pattern: yyyy-mm-dd-hh-mm-ss-name.png

Format: {timestamp}-{descriptive-name}.png

  • Timestamp: Current date/time in format yyyy-mm-dd-hh-mm-ss (24-hour format)
  • Name: Descriptive lowercase text with hyphens
  • Keep the descriptive part concise (1-5 words typically)
  • Use context from user's prompt or conversation
  • If unclear, use random identifier (e.g., x9k2, a7b3)

Examples:

  • Prompt "A serene Japanese garden" → 2025-11-23-14-23-05-japanese-garden.png
  • Prompt "sunset over mountains" → 2025-11-23-15-30-12-sunset-mountains.png
  • Prompt "create an image of a robot" → 2025-11-23-16-45-33-robot.png
  • Unclear context → 2025-11-23-17-12-48-x9k2.png

Image Editing

When the user wants to modify an existing image:

  1. Check if they provide an image path or reference an image in the current directory
  2. Use --input-image parameter with the path to the image
  3. The prompt should contain editing instructions (e.g., "make the sky more dramatic", "remove the person", "change to cartoon style")
  4. Common editing tasks: add/remove elements, change style, adjust colors, blur background, etc.

Prompt Handling

For generation: Pass user's image description as-is to --prompt. Only rework if clearly insufficient.

For editing: Pass editing instructions in --prompt (e.g., "add a rainbow in the sky", "make it look like a watercolor painting")

Preserve user's creative intent in both cases.

Prompt Templates (high hit-rate)

Use templates when the user is vague or when edits must be precise.

  • Generation template:

    • “Create an image of: <subject>. Style: <style>. Composition: <camera/shot>. Lighting: <lighting>. Background: <background>. Color palette: <palette>. Avoid: <list>.”

  • Editing template (preserve everything else):

    • “Change ONLY: <single change>. Keep identical: subject, composition/crop, pose, lighting, color palette, background, text, and overall style. Do not add new objects. If text exists, keep it unchanged.”

Output

  • Saves PNG to current directory (or specified path if filename includes directory)
  • Script outputs the full path to the generated image
  • Do not read the image back - just inform the user of the saved path

Examples

Generate new image:

uv run /path/to/this/skill/scripts/generate_image.py --prompt "A serene Japanese garden with cherry blossoms" --filename "2025-11-23-14-23-05-japanese-garden.png" --resolution 4K

Edit existing image:

uv run /path/to/this/skill/scripts/generate_image.py --prompt "make the sky more dramatic with storm clouds" --filename "2025-11-23-14-25-30-dramatic-sky.png" --input-image "original-photo.jpg" --resolution 2K

Comments

Loading comments...