Nanobanana Pro
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: nanobanana-pro-fallback Version: 0.4.4 The skill bundle is benign. Its purpose is to generate and edit images using the Gemini Image API, with model fallback. The `scripts/generate_image.py` script correctly handles API key retrieval, loads user-provided input images, makes calls to the Google Gemini API, and saves the resulting image to a user-specified path. All file system and network operations are directly aligned with the stated purpose. The `SKILL.md` instructions for the agent are clear and include a benign safety instruction ('Do not read the image back; report the saved path only'), with no evidence of malicious prompt injection or other harmful behaviors.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this skill can consume Gemini API quota or incur provider-side costs tied to the supplied key.
The skill requires and uses a Gemini API key to call the Gemini service. This is expected for the stated purpose, but it grants access to the user's Gemini account quota/billing context.
parser.add_argument("--api-key", "-k", help="Gemini API key (overrides GEMINI_API_KEY env var)") ... return os.environ.get("GEMINI_API_KEY") ... client = genai.Client(api_key=api_key)Use a dedicated Gemini API key with appropriate limits, prefer environment/config storage over passing keys on the command line, and revoke the key if it is no longer needed.
Private prompts or input images provided to the skill may be processed by Gemini.
For image editing/composition, user-provided images and the prompt are placed into the Gemini request. This is purpose-aligned and disclosed as a Gemini Image API skill, but it means selected local image content leaves the local machine.
contents = [*input_images, args.prompt] ... response = client.models.generate_content(model=model_name, contents=contents, config=types.GenerateContentConfig(...))
Only provide images and prompts that you are comfortable sending to the Gemini API, and review Google's data handling terms for the account being used.
Future installs may use newer dependency versions than the ones originally tested by the skill author.
The uv script declares external Python dependencies with lower-bound ranges rather than exact pinned versions. This is common for uv-run scripts, but the resolved dependency versions can change over time.
# dependencies = [ # "google-genai>=1.0.0", # "pillow>=10.0.0", # ]
Install from a trusted source and consider pinning or locking dependencies in controlled environments.
A mistaken or overly broad output path could create directories or overwrite an existing PNG target chosen by the user or agent.
The script saves the generated image to the provided filename and creates parent directories if needed. This is expected for an image generator, but the artifacts do not restrict the output path.
output_path = Path(args.filename) output_path.parent.mkdir(parents=True, exist_ok=True) ... image.save(str(output_path), 'PNG')
Use explicit, non-sensitive output paths and avoid pointing the filename at important existing files or protected directories.