Skillv0.1.2

ClawScan security

Nano Banana Pro Image Gen(基于API易代理站) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 26, 2026, 2:46 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and SKILL.md implement an image-generation client that sends prompts and (base64) images to https://api.apiyi.com and requires an API key and a runtime (node or python), but the registry metadata does not declare those required environment variables or binaries — this mismatch and missing provenance are worth verifying before use.
Guidance: What to check before installing: 1) Metadata mismatch: the registry lists no required env vars or binaries, but the skill requires an API key (APIYI_API_KEY or --api-key) and will prefer Node if present (falls back to Python). Ask the publisher to fix the manifest. 2) External endpoint: the scripts send prompts and any input images (base64) to https://api.apiyi.com — only use if you trust that provider and are comfortable that images and prompts will leave your machine. Avoid sending sensitive or identifying images unless you trust api.apiyi.com. 3) Review the included scripts locally (they are plain JS/Python) before running; they perform network requests, read local input files, and write output files. 4) Run in a sandbox or with an API key scoped/limited appropriately if you proceed. 5) Because owner/homepage are missing, prefer skills with clearer provenance or ask the publisher for contact/terms/privacy info. If you want me to, I can: point out exact lines that read env vars, perform the POST, or summarize any other potential privacy/network effects in the code.

Review Dimensions

Purpose & Capability: noteThe name/description claim an image-generation/editing skill using the NanoBananaPro model via api.apiyi.com, which matches the included Python and Node scripts and the SKILL.md instructions. Functionality (text->image and image-editing, up to 14 refs, aspect/resolution options) is coherent with the stated purpose.
Instruction Scope: concernRuntime instructions and scripts explicitly require an API key (APIYI_API_KEY or --api-key), read local input images (encode to base64), and POST prompt+image payloads to https://api.apiyi.com/v1beta/models/…:generateContent. Those behaviors are consistent with image-generation, but they involve transmitting user prompts and any supplied images to an external service and writing output files to disk. The SKILL.md and scripts do not attempt to access unrelated system files or other credentials, but they do prefer running Node if present — the skill's manifest omitted that requirement (see environment_proportionality).
Install Mechanism: noteThere is no install spec (instruction-only), which lowers install-time risk. However, the package includes runnable scripts for Python and Node — there is no build/install step, but executing the scripts will run network requests and file I/O. This is expected for this kind of skill, but users should be aware code will be executed locally when invoked.
Credentials: concernThe registry metadata declares no required env vars or credentials, but SKILL.md and both scripts require an API key (APIYI_API_KEY or command-line -k/--api-key) and will run with either Node or Python present. This is an incoherence: the skill needs a network API credential and a runtime binary (node or python), neither of which are declared in the manifest. No other unrelated secrets are requested by the code.
Persistence & Privilege: okThe skill does not request permanent inclusion (always=false) and does not modify other skills or system-wide configuration. It only writes generated images to the output path and does not persist other agent-level state.