← Back to Skills Marketplace
reroc8

Wavespeed Nanobanana2

by reroc8 · GitHub ↗ · v1.0.3
cross-platform ⚠ suspicious
478
Downloads
0
Stars
2
Active Installs
4
Versions
Install in OpenClaw
/install wavespeed-nanobanana2
Description
调用Wavespeed AI的NanoBanana-2模型实现文生图、图生图的专业图像创作技能
Usage Guidance
Do not install or enable this skill until the issues are fixed. Specific actions to take or request from the author: - Remove the top-level test block (the anonymous async function at the end of index.js). That code runs on module load and triggers an outbound API call immediately. - Remove any hardcoded API key from the repository. If the embedded key is real, revoke it immediately (treat it as compromised). - Fix registry metadata and SKILL.md to consistently declare WAVESPEED_API_KEY as a required environment variable. - Implement or document the advertised parameters (resolution, output_format) or update SKILL.md to match the actual behavior. - Replace the malformed skill.json (which contains a shell echo command) with a proper JSON file — shipping a shell command as the skill manifest is suspicious and could modify user files if executed by a maintainer script. - After the author provides a cleaned version, review that no secrets remain in code and that no code runs network calls on import; run the skill in an isolated environment first to confirm behavior and any billing implications. If you cannot get a corrected package, treat this skill as untrusted because of embedded secrets and load-time network activity.
Capability Analysis
Type: OpenClaw Skill Name: wavespeed-nanobanana2 Version: 1.0.3 The skill bundle contains a hardcoded API key in a test block within `index.js`, which constitutes a significant credential leak vulnerability. Additionally, `index.js` includes an Immediately Invoked Function Expression (IIFE) that executes a network request to `api.wavespeed.ai` automatically upon module load, which is unexpected behavior for a skill. Furthermore, the `skill.json` file is provided as a shell command (`echo ... > path`) rather than raw JSON, which could be used to trick an automated agent into executing unauthorized filesystem operations.
Capability Assessment
Purpose & Capability
Name/description and most files indicate a text→image skill for Wavespeed and the code actually calls a Wavespeed API endpoint — this is coherent. However SKILL.md advertises parameters (resolution, output_format) that index.js does not implement, and the registry metadata incorrectly lists "Required env vars: none" despite the skill requiring WAVESPEED_API_KEY.
Instruction Scope
SKILL.md is scoped to generating images and using WAVESPEED_API_KEY. The index.js file, however, contains a top-level immediately-invoked test block that will execute when the module is loaded, performing an API call using a hardcoded API key and logging results. That means simply loading/installing the skill triggers network activity and use of an embedded credential — outside the normal runtime use described in SKILL.md.
Install Mechanism
There is no install spec (instruction-only is lower risk), but the package contains code files (index.js and package.json with axios) so installing or loading will write/execute code. The included dependencies are normal (axios) and pulled from npm; no remote downloads or unusual install hosts are present.
Credentials
The skill correctly requires WAVESPEED_API_KEY for the API, which is proportionate. But the package includes a hardcoded API key inside index.js testContext — this is a sensitive secret embedded in source. Also registry metadata claims no required env vars while SKILL.md and skill.json list WAVESPEED_API_KEY, an inconsistency worth resolving.
Persistence & Privilege
The skill does not request always:true and does not declare elevated platform-wide privileges. Permissions list network access which matches its purpose. The main concern is the load-time test behavior, not persistence/privilege escalation.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install wavespeed-nanobanana2
  3. After installation, invoke the skill by name or use /wavespeed-nanobanana2
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.3
Wavespeed NanoBanana2 1.0.3 - Major update: Rewrote and expanded skill for international (English) use. - Added index.js implementation and npm packaging files. - Now provides text-to-image generation with customizable resolution (1k, 2k, 4k) and image format (PNG, JPG, WebP). - Introduced comprehensive error handling and parameter validation. - Setup now requires setting your Wavespeed API key via environment variable.
v1.0.2
- 版本号从 1.0.0 升级到 1.0.2。 - 更新了元数据文件(_meta.json、skill.json)以匹配新版本。 - SKILL.md 内容结构与核心描述保持一致,无新增功能或修改,仅修订版本号。
v1.0.1
- Added _meta.json file with metadata for the skill. - Updated skill.json with configuration or metadata changes. - No changes to core skill functionality or documentation.
v1.0.0
Initial release of Wavespeed NanoBanana2 - Adds support for professional text-to-image and image-to-image generation using the Wavespeed AI NanoBanana-2 model. - Supports multiple styles, including cyberpunk, watercolor, anime, and photorealistic. - Allows for detailed customization with prompts, reference images, resolution, and style options. - Includes user instructions, parameter explanations, and usage examples. - API key configuration required; content safety policies enforced.
Metadata
Slug wavespeed-nanobanana2
Version 1.0.3
License
All-time Installs 2
Active Installs 2
Total Versions 4
Frequently Asked Questions

What is Wavespeed Nanobanana2?

调用Wavespeed AI的NanoBanana-2模型实现文生图、图生图的专业图像创作技能. It is an AI Agent Skill for Claude Code / OpenClaw, with 478 downloads so far.

How do I install Wavespeed Nanobanana2?

Run "/install wavespeed-nanobanana2" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Wavespeed Nanobanana2 free?

Yes, Wavespeed Nanobanana2 is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Wavespeed Nanobanana2 support?

Wavespeed Nanobanana2 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Wavespeed Nanobanana2?

It is built and maintained by reroc8 (@reroc8); the current version is v1.0.3.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments