v1.0.0

Nano Banana Cut 图片生成切割，用于短视频创作，解决角色一致性问题和故事叙事

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:19 AM.

Analysis

This appears to be a real image generation/cutting tool, but its local web server exposes file, admin, and token-backed actions too broadly.

GuidanceReview carefully before installing. If you use it, run the server only when needed, use limited/revocable AceData keys, avoid sensitive prompts or images, restrict access to localhost, and consider disabling global CORS or adding authentication before keeping the service running.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

POST /api/cut ... { "path": "图片路径", "num": 9, "out": "输出目录（可选）" } ... POST /api/admin/delete/:id ... POST /api/shutdown

The documented local API includes caller-supplied file paths/output directories plus admin deletion and shutdown actions. Combined with server.py enabling CORS, these are broad operations without a clearly documented protection boundary.

User impactA caller that reaches the local service could trigger file writes for image cuts, delete or alter task records, retry/close tasks, or shut down the service rather than only use the intended UI flow.

RecommendationRequire local-session authentication and CSRF protection, restrict CORS to the UI origin, validate/allowlist file paths, and require explicit confirmation for destructive/admin actions.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

templates/index.html

<script src="https://cdn.jsdelivr.net/npm/jquery@3.7.1/dist/jquery.min.js"></script> ... masonry-layout@4.2.2 ... imagesloaded@5.0.0

The frontend loads third-party CDN scripts. This is common for web UIs, but those scripts execute in the local app page and are not shown with integrity checks.

User impactIf a CDN dependency is compromised, the page code could run inside the local tool's browser context.

RecommendationVendor these libraries locally or add subresource integrity hashes and a strict Content Security Policy.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md

API_KEY（必填）... PLATFORM_TOKEN（可选）... 配置会保存到 `.env` 文件中。

The skill requires and stores AceData credentials, while the registry metadata says there are no required env vars and no primary credential. The code also uses these values as Bearer tokens for provider API calls.

User impactRunning the tool gives it delegated access to the user's AceData account and optional platform upload token, which may affect account quota and uploaded image data.

RecommendationDeclare the credential requirements in metadata, use least-privilege/revocable tokens, and avoid exposing token-backed API actions through unauthenticated local endpoints.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceMediumStatusConcern

server.py

app = Flask(__name__, static_folder='static', static_url_path='/static')
CORS(app)

Global CORS allows cross-origin browser access to the Flask API. With documented endpoints for works listing, downloads, uploads, generation, and administration, the origin and data boundary is unclear.

User impactIf the local server is running, another website may be able to interact with it from the user's browser and potentially read generated-work metadata/downloads or trigger token-backed actions.

RecommendationDisable global CORS, allow only the expected localhost UI origin, add authentication, and separate read/download/admin APIs with stricter checks.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

server.py

prompt TEXT NOT NULL ... request_data TEXT ... respond TEXT

The SQLite schema persists prompts, request data, and provider responses. This is aligned with the works-management feature, but it can retain private creative prompts, image URLs, and task details.

User impactAnyone with access to the machine or the running local service may be able to view prompt history, generated-image metadata, and saved outputs.

RecommendationAvoid sensitive prompts or reference images, document retention clearly, and provide an easy cleanup/delete-all option for the database and saved work folders.