Nano Banana Pro Image Gen(基于API易代理站)
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward image generation/editing skill, but it uses an API key, sends prompts and selected images to APIYI, and runs local scripts.
This skill looks purpose-aligned for image generation and editing. Before installing, make sure you trust APIYI with the prompts and images you submit, store the API key in an environment variable rather than typing it into commands, and ensure the agent safely quotes prompt text and filenames when running the included scripts.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A badly escaped prompt or filename could cause command failures or unintended shell parsing if the agent runs the template through a shell.
The skill tells the agent to use raw user prompt text in a shell-style command template. Running the local script is expected for this skill, but prompts and file paths should be passed safely so quotes or shell metacharacters do not change the command.
使用用户原始完整输入...直接作为 `-p` 提示词的主体 ... `node scripts/generate_image.js -p "{prompt}" -f "{filename}"`Invoke the script with structured arguments when possible, or carefully quote/escape prompt text and paths before running the command.
Anyone who obtains the API key may be able to use the user's APIYI account or consume quota.
The skill needs an APIYI credential, which is expected for the image-generation provider. It also documents command-line API key use, which can be easier to expose through shell history or process listings than an environment variable.
`APIYI_API_KEY` 环境变量(推荐) ... `python scripts/generate_image.py -p "一只猫" -k "your-api-key-here"`
Use the recommended `APIYI_API_KEY` environment variable, avoid putting real keys directly in command examples or chat, and rotate the key if it is exposed.
Text prompts and selected input images leave the local machine and are processed by the APIYI service.
The script posts prompts and, for image editing, base64-encoded input images to the APIYI provider endpoint. This is the stated purpose, but it is still an external data transfer.
`url = "https://api.apiyi.com/v1beta/models/gemini-3-pro-image-preview:generateContent"` ... `parts.append({"inlineData": {"mimeType": "image/png", "data": image_base64}})`Only use this skill with prompts and images you are comfortable sending to APIYI, and review the provider's privacy and retention terms if the content is sensitive.