← Back to Skills Marketplace
432
Downloads
1
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install tuzi-nano-banana
Description
Generate/edit images via Tuzi API (default), Google Gemini, OpenAI, DashScope, Replicate. Text-to-image + image-to-image editing; 1K/2K/4K resolution. Use fo...
Usage Guidance
This skill largely matches its stated purpose, but proceed cautiously. Specific things to consider before installing/running:
- Metadata mismatch: the registry lists no required env vars while SKILL.md/code require many provider API keys; verify you trust this code before supplying secrets.
- The skill reads ~/.tuzi-skills/.env and ./ .tuzi-skills/.env and merges values into process.env. Check those files for unrelated secrets before running or avoid placing secrets there.
- The code uses child_process.execSync with interpolated values to call 'identify' (ImageMagick) and to run curl when an HTTP proxy is set. If you provide proxy strings, API keys, or file paths with unexpected characters this could cause command-line issues or injection. Prefer running in a controlled environment and inspect the code yourself.
- SKILL.md preflight only checks for npx; you may also need ImageMagick ('identify') and curl available depending on options — the script falls back if 'identify' fails, but behavior differs.
- If you want to reduce risk: run the script locally in an isolated environment (container or VM), review the providers' base URLs in code, and avoid storing unrelated secrets in the .tuzi-skills/.env files. If you plan to use this skill in production/automated agents, ask the author to fix the metadata (declare required env vars) and to avoid shelling out with unescaped values (use HTTP libraries instead of exec+curl and child_process-safe calls).
Capability Analysis
Type: OpenClaw Skill
Name: tuzi-nano-banana
Version: 1.0.0
The skill bundle contains multiple critical shell injection vulnerabilities. In `scripts/main.ts`, the `autoDetectResolution` function executes the `identify` command using `execSync` with an unsanitized file path from the `--input-image` argument. Similarly, `scripts/providers/google.ts` uses `execSync` to run `curl` with unsanitized proxy settings derived from environment variables. The script also automatically loads environment variables from `.tuzi-skills/.env` files in the current working directory or home directory, which increases the risk of exploitation. While these appear to be unintentional coding flaws rather than deliberate malware, they present a high risk of Remote Code Execution (RCE) if the agent is provided with malicious input or run in a compromised directory.
Capability Assessment
Purpose & Capability
Code implements the five providers named in the description (Tuzi, Google/Gemini, OpenAI, DashScope, Replicate) and needs the corresponding API keys, which is consistent with the skill purpose. However the registry metadata lists no required environment variables while SKILL.md and the code expect multiple provider API keys and config envs — this metadata mismatch is an incoherence that should be corrected.
Instruction Scope
SKILL.md instructs running the included TypeScript with 'npx -y bun' and documents loading env files; however the runtime also uses shell exec (child_process.execSync) for two purposes: (1) calling 'identify' to probe input image size and (2) using curl when an HTTP proxy is set. These exec calls interpolate variables (file paths, proxy, API key) into shell commands which increases risk of command injection or accidental exposure if values are malicious or malformed. The SKILL.md preflight only checks for npx; it does not document the need for ImageMagick ('identify') or curl when proxies are present.
Install Mechanism
No install spec is provided; the skill is distributed as code files and expected to be run via 'npx -y bun <script>'. That approach executes the included scripts directly (no package install step), and npx may fetch/run the bun package at runtime. This is reasonably low-friction but means the included code will run on the user's machine with whatever environment it finds.
Credentials
The skill requires multiple provider API keys (TUZI_API_KEY, GEMINI_API_KEY/GOOGLE_API_KEY, OPENAI_API_KEY, DASHSCOPE_API_KEY, REPLICATE_API_TOKEN) which match its multi-provider nature. However: (a) the registry metadata declares no required env vars (incoherent with SKILL.md/code), and (b) the code reads .tuzi-skills/.env from both the current working directory and the user's home directory and merges their values into process.env — this can cause unrelated secrets stored in those files to be loaded into the process, increasing the risk of accidental leakage or misuse.
Persistence & Privilege
The skill does not request permanent/always-on presence and does not modify other skills or system-wide settings. It only reads files (input images, .env files) and writes the generated PNG to the current working directory.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install tuzi-nano-banana - After installation, invoke the skill by name or use
/tuzi-nano-banana - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of tuzi-nano-banana.
- Multi-provider image generation and editing (Tuzi, Google Gemini, OpenAI, DashScope, Replicate).
- Supports text-to-image and image-to-image editing at 1K, 2K, and 4K resolutions.
- CLI tool with detailed options for prompt, resolution, model, API provider, and image input.
- Automatic provider and resolution selection based on user input and available API keys.
- Comprehensive documentation for workflow, environment variables, and usage best practices.
Metadata
Frequently Asked Questions
What is Generate/edit images via Tuzi API (default), Google Gemini, OpenAI, DashScope, Replicate. Text-to-image + image-to-image editing; 1K/2K/4K resolution. Use for image create/modify/edit requests incl. --input-image.?
Generate/edit images via Tuzi API (default), Google Gemini, OpenAI, DashScope, Replicate. Text-to-image + image-to-image editing; 1K/2K/4K resolution. Use fo... It is an AI Agent Skill for Claude Code / OpenClaw, with 432 downloads so far.
How do I install Generate/edit images via Tuzi API (default), Google Gemini, OpenAI, DashScope, Replicate. Text-to-image + image-to-image editing; 1K/2K/4K resolution. Use for image create/modify/edit requests incl. --input-image.?
Run "/install tuzi-nano-banana" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Generate/edit images via Tuzi API (default), Google Gemini, OpenAI, DashScope, Replicate. Text-to-image + image-to-image editing; 1K/2K/4K resolution. Use for image create/modify/edit requests incl. --input-image. free?
Yes, Generate/edit images via Tuzi API (default), Google Gemini, OpenAI, DashScope, Replicate. Text-to-image + image-to-image editing; 1K/2K/4K resolution. Use for image create/modify/edit requests incl. --input-image. is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Generate/edit images via Tuzi API (default), Google Gemini, OpenAI, DashScope, Replicate. Text-to-image + image-to-image editing; 1K/2K/4K resolution. Use for image create/modify/edit requests incl. --input-image. support?
Generate/edit images via Tuzi API (default), Google Gemini, OpenAI, DashScope, Replicate. Text-to-image + image-to-image editing; 1K/2K/4K resolution. Use for image create/modify/edit requests incl. --input-image. is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Generate/edit images via Tuzi API (default), Google Gemini, OpenAI, DashScope, Replicate. Text-to-image + image-to-image editing; 1K/2K/4K resolution. Use for image create/modify/edit requests incl. --input-image.?
It is built and maintained by ljquan (@ljquan); the current version is v1.0.0.
More Skills