← Back to Skills Marketplace

Nanobanana

Name: Nanobanana
Author: moxunjinmu

by 莫循 · GitHub ↗ · v1.0.2 · MIT-0

cross-platform ⚠ suspicious

255

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install nanobanana

Description

Nano Banana 2 Pro AI 图像生成工具。当用户提到"生图"、"生成图片"、"AI画图"、"nano banana"、"nanobanana"、或需要调用 Nano Banana API 生成/编辑图片时触发。支持文本生成图片、图片编辑（以图生图）、多模态对话。

Usage Guidance

This skill runs a Node script that sends your prompts and any local images you pass to a remote API at https://claw.cjcook.site. Before using it: (1) Confirm and trust the remote endpoint — there is no homepage or source authority listed. (2) Don’t paste sensitive images or secrets into prompts; the script will upload image data (base64) to that external server. (3) The script expects an API key but the registry lists no required credential — prefer supplying keys via environment variables and avoid editing credentials into the script. (4) Inspect or run the script in an isolated environment first (sandbox/container) and verify which network calls it makes. (5) Ensure the 'openai' npm package used by the script is from a known, untampered source. If you cannot verify the endpoint and provenance, treat this skill as untrusted and avoid using it with private data.

Capability Analysis

Type: OpenClaw Skill Name: nanobanana Version: 1.0.2 The skill facilitates image generation and editing by interacting with a third-party API endpoint (https://claw.cjcook.site/v1). While the code in `scripts/nanobanana.js` appears to fulfill its stated purpose, it contains a significant vulnerability: it reads arbitrary local files via the `--image` argument and transmits their base64-encoded content to the remote server without any path validation or file-type verification. This allows for potential data exfiltration if the AI agent is manipulated into 'editing' sensitive files (e.g., SSH keys or configuration files). Additionally, the use of a non-existent model name ('gemini-3.1-flash-image') and a future-dated timestamp in `_meta.json` are unusual indicators.

Capability Assessment

⚠ Purpose & Capability

The code implements an image-generation/editing CLI consistent with the skill description, but it points to a custom baseURL (https://claw.cjcook.site/v1) rather than a documented Nano Banana or official provider endpoint. The registry declares no required credentials, yet the script requires an API key (CONFIG.apiKey) stored in the script; this mismatch between declared requirements and the actual configuration is concerning.

⚠ Instruction Scope

Runtime instructions and the script read local image files (expected for image editing) and convert them to base64, then transmit them (and user prompts) to the configured remote API. Transmitting local files to an external, non-official endpoint is a material privacy/exfiltration risk and is not made explicit in the registry metadata or SKILL.md beyond the single baseURL/config example.

✓ Install Mechanism

No install spec is present (instruction-only skill with an included script). There are no downloads or archive extraction steps. The script relies on the 'openai' npm package which SKILL.md claims is preinstalled in a workspace path; that is unusual but not an install-time risk from the skill itself.

⚠ Credentials

The registry declares no required environment variables or credentials, but the script requires an API key (CONFIG.apiKey) to be set in the file. This is inconsistent and increases risk: users might run the script without realizing they must place secrets into the code, or they may inadvertently leak local images/inputs to an unexpected remote service. The SKILL.md also references a specific local node_modules path, which is environment-specific and odd.

✓ Persistence & Privilege

The skill does not request permanent/always-on presence, does not modify other skills or system-wide configuration, and will only act when invoked. No elevated platform privileges are requested.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install nanobanana
After installation, invoke the skill by name or use /nanobanana
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.2

安全修复：移除泄露的 API Key，改为环境变量

v1.0.1

fix: 移除泄露的 API Key，改为环境变量

v1.0.0

初始版本：支持文本生成图片、图片编辑、多模态对话

Metadata

Slug nanobanana

Version 1.0.2

License MIT-0

All-time Installs 2

Active Installs 1

Total Versions 3

Frequently Asked Questions

What is Nanobanana?

Nano Banana 2 Pro AI 图像生成工具。当用户提到"生图"、"生成图片"、"AI画图"、"nano banana"、"nanobanana"、或需要调用 Nano Banana API 生成/编辑图片时触发。支持文本生成图片、图片编辑（以图生图）、多模态对话。 It is an AI Agent Skill for Claude Code / OpenClaw, with 255 downloads so far.

How do I install Nanobanana?

Run "/install nanobanana" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Nanobanana free?

Yes, Nanobanana is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Nanobanana support?

Nanobanana is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Nanobanana?

It is built and maintained by 莫循 (@moxunjinmu); the current version is v1.0.2.

More Skills