← 返回 Skills 市场
432
总下载
1
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install tuzi-nano-banana
功能描述
Generate/edit images via Tuzi API (default), Google Gemini, OpenAI, DashScope, Replicate. Text-to-image + image-to-image editing; 1K/2K/4K resolution. Use fo...
安全使用建议
This skill largely matches its stated purpose, but proceed cautiously. Specific things to consider before installing/running:
- Metadata mismatch: the registry lists no required env vars while SKILL.md/code require many provider API keys; verify you trust this code before supplying secrets.
- The skill reads ~/.tuzi-skills/.env and ./ .tuzi-skills/.env and merges values into process.env. Check those files for unrelated secrets before running or avoid placing secrets there.
- The code uses child_process.execSync with interpolated values to call 'identify' (ImageMagick) and to run curl when an HTTP proxy is set. If you provide proxy strings, API keys, or file paths with unexpected characters this could cause command-line issues or injection. Prefer running in a controlled environment and inspect the code yourself.
- SKILL.md preflight only checks for npx; you may also need ImageMagick ('identify') and curl available depending on options — the script falls back if 'identify' fails, but behavior differs.
- If you want to reduce risk: run the script locally in an isolated environment (container or VM), review the providers' base URLs in code, and avoid storing unrelated secrets in the .tuzi-skills/.env files. If you plan to use this skill in production/automated agents, ask the author to fix the metadata (declare required env vars) and to avoid shelling out with unescaped values (use HTTP libraries instead of exec+curl and child_process-safe calls).
功能分析
Type: OpenClaw Skill
Name: tuzi-nano-banana
Version: 1.0.0
The skill bundle contains multiple critical shell injection vulnerabilities. In `scripts/main.ts`, the `autoDetectResolution` function executes the `identify` command using `execSync` with an unsanitized file path from the `--input-image` argument. Similarly, `scripts/providers/google.ts` uses `execSync` to run `curl` with unsanitized proxy settings derived from environment variables. The script also automatically loads environment variables from `.tuzi-skills/.env` files in the current working directory or home directory, which increases the risk of exploitation. While these appear to be unintentional coding flaws rather than deliberate malware, they present a high risk of Remote Code Execution (RCE) if the agent is provided with malicious input or run in a compromised directory.
能力评估
Purpose & Capability
Code implements the five providers named in the description (Tuzi, Google/Gemini, OpenAI, DashScope, Replicate) and needs the corresponding API keys, which is consistent with the skill purpose. However the registry metadata lists no required environment variables while SKILL.md and the code expect multiple provider API keys and config envs — this metadata mismatch is an incoherence that should be corrected.
Instruction Scope
SKILL.md instructs running the included TypeScript with 'npx -y bun' and documents loading env files; however the runtime also uses shell exec (child_process.execSync) for two purposes: (1) calling 'identify' to probe input image size and (2) using curl when an HTTP proxy is set. These exec calls interpolate variables (file paths, proxy, API key) into shell commands which increases risk of command injection or accidental exposure if values are malicious or malformed. The SKILL.md preflight only checks for npx; it does not document the need for ImageMagick ('identify') or curl when proxies are present.
Install Mechanism
No install spec is provided; the skill is distributed as code files and expected to be run via 'npx -y bun <script>'. That approach executes the included scripts directly (no package install step), and npx may fetch/run the bun package at runtime. This is reasonably low-friction but means the included code will run on the user's machine with whatever environment it finds.
Credentials
The skill requires multiple provider API keys (TUZI_API_KEY, GEMINI_API_KEY/GOOGLE_API_KEY, OPENAI_API_KEY, DASHSCOPE_API_KEY, REPLICATE_API_TOKEN) which match its multi-provider nature. However: (a) the registry metadata declares no required env vars (incoherent with SKILL.md/code), and (b) the code reads .tuzi-skills/.env from both the current working directory and the user's home directory and merges their values into process.env — this can cause unrelated secrets stored in those files to be loaded into the process, increasing the risk of accidental leakage or misuse.
Persistence & Privilege
The skill does not request permanent/always-on presence and does not modify other skills or system-wide settings. It only reads files (input images, .env files) and writes the generated PNG to the current working directory.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tuzi-nano-banana - 安装完成后,直接呼叫该 Skill 的名称或使用
/tuzi-nano-banana触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of tuzi-nano-banana.
- Multi-provider image generation and editing (Tuzi, Google Gemini, OpenAI, DashScope, Replicate).
- Supports text-to-image and image-to-image editing at 1K, 2K, and 4K resolutions.
- CLI tool with detailed options for prompt, resolution, model, API provider, and image input.
- Automatic provider and resolution selection based on user input and available API keys.
- Comprehensive documentation for workflow, environment variables, and usage best practices.
元数据
常见问题
Generate/edit images via Tuzi API (default), Google Gemini, OpenAI, DashScope, Replicate. Text-to-image + image-to-image editing; 1K/2K/4K resolution. Use for image create/modify/edit requests incl. --input-image. 是什么?
Generate/edit images via Tuzi API (default), Google Gemini, OpenAI, DashScope, Replicate. Text-to-image + image-to-image editing; 1K/2K/4K resolution. Use fo... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 432 次。
如何安装 Generate/edit images via Tuzi API (default), Google Gemini, OpenAI, DashScope, Replicate. Text-to-image + image-to-image editing; 1K/2K/4K resolution. Use for image create/modify/edit requests incl. --input-image.?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tuzi-nano-banana」即可一键安装,无需额外配置。
Generate/edit images via Tuzi API (default), Google Gemini, OpenAI, DashScope, Replicate. Text-to-image + image-to-image editing; 1K/2K/4K resolution. Use for image create/modify/edit requests incl. --input-image. 是免费的吗?
是的,Generate/edit images via Tuzi API (default), Google Gemini, OpenAI, DashScope, Replicate. Text-to-image + image-to-image editing; 1K/2K/4K resolution. Use for image create/modify/edit requests incl. --input-image. 完全免费(开源免费),可自由下载、安装和使用。
Generate/edit images via Tuzi API (default), Google Gemini, OpenAI, DashScope, Replicate. Text-to-image + image-to-image editing; 1K/2K/4K resolution. Use for image create/modify/edit requests incl. --input-image. 支持哪些平台?
Generate/edit images via Tuzi API (default), Google Gemini, OpenAI, DashScope, Replicate. Text-to-image + image-to-image editing; 1K/2K/4K resolution. Use for image create/modify/edit requests incl. --input-image. 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Generate/edit images via Tuzi API (default), Google Gemini, OpenAI, DashScope, Replicate. Text-to-image + image-to-image editing; 1K/2K/4K resolution. Use for image create/modify/edit requests incl. --input-image.?
由 ljquan(@ljquan)开发并维护,当前版本 v1.0.0。
推荐 Skills