Nanobanana Pro
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears purpose-aligned for Gemini image generation, but users should notice that it uses a Gemini API key, sends prompts/images to Gemini, installs Python dependencies, and writes output files.
This skill looks coherent and not suspicious based on the provided artifacts. Install it if you are comfortable using Gemini for image generation, sending selected prompts/images to that provider, and relying on uv-resolved Python dependencies. Use a limited Gemini API key and choose output filenames carefully.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this skill can consume Gemini API quota or incur provider-side costs tied to the supplied key.
The skill requires and uses a Gemini API key to call the Gemini service. This is expected for the stated purpose, but it grants access to the user's Gemini account quota/billing context.
parser.add_argument("--api-key", "-k", help="Gemini API key (overrides GEMINI_API_KEY env var)") ... return os.environ.get("GEMINI_API_KEY") ... client = genai.Client(api_key=api_key)Use a dedicated Gemini API key with appropriate limits, prefer environment/config storage over passing keys on the command line, and revoke the key if it is no longer needed.
Private prompts or input images provided to the skill may be processed by Gemini.
For image editing/composition, user-provided images and the prompt are placed into the Gemini request. This is purpose-aligned and disclosed as a Gemini Image API skill, but it means selected local image content leaves the local machine.
contents = [*input_images, args.prompt] ... response = client.models.generate_content(model=model_name, contents=contents, config=types.GenerateContentConfig(...))
Only provide images and prompts that you are comfortable sending to the Gemini API, and review Google's data handling terms for the account being used.
Future installs may use newer dependency versions than the ones originally tested by the skill author.
The uv script declares external Python dependencies with lower-bound ranges rather than exact pinned versions. This is common for uv-run scripts, but the resolved dependency versions can change over time.
# dependencies = [ # "google-genai>=1.0.0", # "pillow>=10.0.0", # ]
Install from a trusted source and consider pinning or locking dependencies in controlled environments.
A mistaken or overly broad output path could create directories or overwrite an existing PNG target chosen by the user or agent.
The script saves the generated image to the provided filename and creates parent directories if needed. This is expected for an image generator, but the artifacts do not restrict the output path.
output_path = Path(args.filename) output_path.parent.mkdir(parents=True, exist_ok=True) ... image.save(str(output_path), 'PNG')
Use explicit, non-sensitive output paths and avoid pointing the filename at important existing files or protected directories.