ClawHub
Back to skill
v1.0.2

Nano Banana Pro Image Generator

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:46 AM.

Analysis

This appears to be a straightforward Media.io image-generation connector, but it requires a Media.io API key and sends prompts or reference image URLs to Media.io.

GuidanceThis skill is coherent with its stated image-generation purpose. Before installing, make sure you are comfortable providing a Media.io API key, spending any associated credits, and sending prompts or reference image URLs to Media.io.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
pip install requests

The skill asks the user to manually install an unpinned Python dependency. This is common and purpose-aligned for a simple API wrapper, but it is still a supply-chain detail users should notice.

User impactThe local Python environment must trust the installed requests package source and version.
RecommendationInstall dependencies from a trusted package index, preferably in a virtual environment, and pin versions if reproducibility is important.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
`API_KEY` | **Yes** | Media.io OpenAPI key, sent as `X-API-KEY` header.

The skill requires a credential for the user's Media.io API account. This is disclosed and purpose-aligned, but it gives the skill account-level API access for this service.

User impactUsing the skill may consume Media.io credits and exposes the configured API key to the skill's API calls.
RecommendationUse a dedicated or revocable Media.io API key if available, monitor credit usage, and remove or rotate the key when no longer needed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Endpoint: `POST https://openapi.media.io/generation/banana/i2i-banana-2` ... `prompt` ... `image` | Reference image URL for image-to-image

The skill sends prompts and optional reference image URLs to an external provider endpoint. This is central to the image-generation purpose, but users should treat submitted content as shared with Media.io.

User impactPrompts, task IDs, and reference image URLs may be transmitted to Media.io for processing.
RecommendationAvoid submitting confidential prompts or private image URLs unless Media.io's data handling terms are acceptable.