← 返回 Skills 市场
mvanhorn

Nano Triple

作者 Matt Van Horn · GitHub ↗ · v1.2.0
cross-platform ⚠ suspicious
936
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install nano-triple
功能描述
3 images, one prompt, instant A/B/C. Nano Banana Pro's natural randomness gives you three distinct takes on any image idea — generated in parallel. Pick the...
安全使用建议
This skill's instructions run a script from ~/.npm-global and say they will use GEMINI_API_KEY, but the skill metadata does not declare those requirements. Before installing or enabling: (1) Verify the referenced repository/package (https://github.com/mvanhorn/nano-triple and the nano-banana-pro package) and inspect the generate_image.py script for what it does; (2) Confirm you have and trust the 'uv' runner and any npm package at ~/.npm-global — running files from your home directory can execute arbitrary code; (3) Only provide a GEMINI_API_KEY if you trust the implementation and know where requests will be sent; (4) If you cannot inspect the external script or do not trust the package source, do not enable this skill. Asking the skill author to declare required env vars, binaries, and the exact network endpoints would resolve the main concerns.
功能分析
Type: OpenClaw Skill Name: nano-triple Version: 1.2.0 The skill bundle contains a significant command injection vulnerability in SKILL.md. It instructs the AI agent to execute a shell command using `uv run` while passing the user's raw, unvalidated input directly into the `--prompt` argument. While the stated goal of parallel image generation is plausible, this pattern allows for remote code execution (RCE) if a user provides a crafted prompt containing shell metacharacters (e.g., backticks or semicolons).
能力评估
Purpose & Capability
Description says 'generate 3 images' which is reasonable, but the SKILL.md expects an external script at ~/.npm-global/lib/node_modules/clawdbot/skills/nano-banana-pro/scripts/generate_image.py and the 'uv' runner; those runtime dependencies are not declared in the skill metadata (no required binaries, no install). That is disproportionate to the stated simple purpose.
Instruction Scope
Runtime instructions explicitly run three local commands that execute a script from the user's ~/.npm-global path. The SKILL.md also says it will use GEMINI_API_KEY from environment or openclaw config. The manifest did not declare these filesystem paths or env vars. Executing a script from a user home path and implicitly reading an API key are out-of-band actions not disclosed in the skill metadata.
Install Mechanism
This is instruction-only (no install spec), which is low-risk in principle, but the instructions assume a separately installed npm package and a 'uv' runner. Because the skill will invoke code that lives outside the skill bundle, it implicitly depends on third-party software that isn't installed or verified by the manifest.
Credentials
SKILL.md states it uses GEMINI_API_KEY from environment or openclaw config, but the registry metadata lists no required env vars or primary credential. Requesting an API key for an image-generation backend would be proportional if declared; here the credential access is undisclosed and therefore suspicious.
Persistence & Privilege
The skill does not request always:true or elevated persistence. It allows autonomous invocation (the platform default), which by itself is expected and not flagged. The primary concerns are undeclared runtime actions, not persistence privileges.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install nano-triple
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /nano-triple 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
Rebrand: clawdbot → openclaw in metadata key and prose references.
v1.1.0
Republish after ClawHavoc moderation sweep. Updated descriptions, Grok-4/API 2026 notes, author/license/repository metadata.
v1.0.0
Initial release - generate 3 images with same prompt, pick best or give feedback for 3 more
元数据
Slug nano-triple
版本 1.2.0
许可证
累计安装 0
当前安装数 0
历史版本数 3
常见问题

Nano Triple 是什么?

3 images, one prompt, instant A/B/C. Nano Banana Pro's natural randomness gives you three distinct takes on any image idea — generated in parallel. Pick the... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 936 次。

如何安装 Nano Triple?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install nano-triple」即可一键安装,无需额外配置。

Nano Triple 是免费的吗?

是的,Nano Triple 完全免费(开源免费),可自由下载、安装和使用。

Nano Triple 支持哪些平台?

Nano Triple 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Nano Triple?

由 Matt Van Horn(@mvanhorn)开发并维护,当前版本 v1.2.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论