← Back to Skills Marketplace
mvanhorn

Nano Triple

by Matt Van Horn · GitHub ↗ · v1.2.0
cross-platform ⚠ suspicious
936
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install nano-triple
Description
3 images, one prompt, instant A/B/C. Nano Banana Pro's natural randomness gives you three distinct takes on any image idea — generated in parallel. Pick the...
Usage Guidance
This skill's instructions run a script from ~/.npm-global and say they will use GEMINI_API_KEY, but the skill metadata does not declare those requirements. Before installing or enabling: (1) Verify the referenced repository/package (https://github.com/mvanhorn/nano-triple and the nano-banana-pro package) and inspect the generate_image.py script for what it does; (2) Confirm you have and trust the 'uv' runner and any npm package at ~/.npm-global — running files from your home directory can execute arbitrary code; (3) Only provide a GEMINI_API_KEY if you trust the implementation and know where requests will be sent; (4) If you cannot inspect the external script or do not trust the package source, do not enable this skill. Asking the skill author to declare required env vars, binaries, and the exact network endpoints would resolve the main concerns.
Capability Analysis
Type: OpenClaw Skill Name: nano-triple Version: 1.2.0 The skill bundle contains a significant command injection vulnerability in SKILL.md. It instructs the AI agent to execute a shell command using `uv run` while passing the user's raw, unvalidated input directly into the `--prompt` argument. While the stated goal of parallel image generation is plausible, this pattern allows for remote code execution (RCE) if a user provides a crafted prompt containing shell metacharacters (e.g., backticks or semicolons).
Capability Assessment
Purpose & Capability
Description says 'generate 3 images' which is reasonable, but the SKILL.md expects an external script at ~/.npm-global/lib/node_modules/clawdbot/skills/nano-banana-pro/scripts/generate_image.py and the 'uv' runner; those runtime dependencies are not declared in the skill metadata (no required binaries, no install). That is disproportionate to the stated simple purpose.
Instruction Scope
Runtime instructions explicitly run three local commands that execute a script from the user's ~/.npm-global path. The SKILL.md also says it will use GEMINI_API_KEY from environment or openclaw config. The manifest did not declare these filesystem paths or env vars. Executing a script from a user home path and implicitly reading an API key are out-of-band actions not disclosed in the skill metadata.
Install Mechanism
This is instruction-only (no install spec), which is low-risk in principle, but the instructions assume a separately installed npm package and a 'uv' runner. Because the skill will invoke code that lives outside the skill bundle, it implicitly depends on third-party software that isn't installed or verified by the manifest.
Credentials
SKILL.md states it uses GEMINI_API_KEY from environment or openclaw config, but the registry metadata lists no required env vars or primary credential. Requesting an API key for an image-generation backend would be proportional if declared; here the credential access is undisclosed and therefore suspicious.
Persistence & Privilege
The skill does not request always:true or elevated persistence. It allows autonomous invocation (the platform default), which by itself is expected and not flagged. The primary concerns are undeclared runtime actions, not persistence privileges.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install nano-triple
  3. After installation, invoke the skill by name or use /nano-triple
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
Rebrand: clawdbot → openclaw in metadata key and prose references.
v1.1.0
Republish after ClawHavoc moderation sweep. Updated descriptions, Grok-4/API 2026 notes, author/license/repository metadata.
v1.0.0
Initial release - generate 3 images with same prompt, pick best or give feedback for 3 more
Metadata
Slug nano-triple
Version 1.2.0
License
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is Nano Triple?

3 images, one prompt, instant A/B/C. Nano Banana Pro's natural randomness gives you three distinct takes on any image idea — generated in parallel. Pick the... It is an AI Agent Skill for Claude Code / OpenClaw, with 936 downloads so far.

How do I install Nano Triple?

Run "/install nano-triple" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Nano Triple free?

Yes, Nano Triple is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Nano Triple support?

Nano Triple is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Nano Triple?

It is built and maintained by Matt Van Horn (@mvanhorn); the current version is v1.2.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments