← 返回 Skills 市场

Wavespeed Nanobanana2

Name: Wavespeed Nanobanana2
Author: reroc8

作者 reroc8 · GitHub ↗ · v1.0.3

cross-platform ⚠ suspicious

478

总下载

当前安装

版本数

在 OpenClaw 中安装

/install wavespeed-nanobanana2

功能描述

调用Wavespeed AI的NanoBanana-2模型实现文生图、图生图的专业图像创作技能

安全使用建议

Do not install or enable this skill until the issues are fixed. Specific actions to take or request from the author: - Remove the top-level test block (the anonymous async function at the end of index.js). That code runs on module load and triggers an outbound API call immediately. - Remove any hardcoded API key from the repository. If the embedded key is real, revoke it immediately (treat it as compromised). - Fix registry metadata and SKILL.md to consistently declare WAVESPEED_API_KEY as a required environment variable. - Implement or document the advertised parameters (resolution, output_format) or update SKILL.md to match the actual behavior. - Replace the malformed skill.json (which contains a shell echo command) with a proper JSON file — shipping a shell command as the skill manifest is suspicious and could modify user files if executed by a maintainer script. - After the author provides a cleaned version, review that no secrets remain in code and that no code runs network calls on import; run the skill in an isolated environment first to confirm behavior and any billing implications. If you cannot get a corrected package, treat this skill as untrusted because of embedded secrets and load-time network activity.

功能分析

Type: OpenClaw Skill Name: wavespeed-nanobanana2 Version: 1.0.3 The skill bundle contains a hardcoded API key in a test block within `index.js`, which constitutes a significant credential leak vulnerability. Additionally, `index.js` includes an Immediately Invoked Function Expression (IIFE) that executes a network request to `api.wavespeed.ai` automatically upon module load, which is unexpected behavior for a skill. Furthermore, the `skill.json` file is provided as a shell command (`echo ... > path`) rather than raw JSON, which could be used to trick an automated agent into executing unauthorized filesystem operations.

能力评估

ℹ Purpose & Capability

Name/description and most files indicate a text→image skill for Wavespeed and the code actually calls a Wavespeed API endpoint — this is coherent. However SKILL.md advertises parameters (resolution, output_format) that index.js does not implement, and the registry metadata incorrectly lists "Required env vars: none" despite the skill requiring WAVESPEED_API_KEY.

⚠ Instruction Scope

SKILL.md is scoped to generating images and using WAVESPEED_API_KEY. The index.js file, however, contains a top-level immediately-invoked test block that will execute when the module is loaded, performing an API call using a hardcoded API key and logging results. That means simply loading/installing the skill triggers network activity and use of an embedded credential — outside the normal runtime use described in SKILL.md.

ℹ Install Mechanism

There is no install spec (instruction-only is lower risk), but the package contains code files (index.js and package.json with axios) so installing or loading will write/execute code. The included dependencies are normal (axios) and pulled from npm; no remote downloads or unusual install hosts are present.

⚠ Credentials

The skill correctly requires WAVESPEED_API_KEY for the API, which is proportionate. But the package includes a hardcoded API key inside index.js testContext — this is a sensitive secret embedded in source. Also registry metadata claims no required env vars while SKILL.md and skill.json list WAVESPEED_API_KEY, an inconsistency worth resolving.

✓ Persistence & Privilege

The skill does not request always:true and does not declare elevated platform-wide privileges. Permissions list network access which matches its purpose. The main concern is the load-time test behavior, not persistence/privilege escalation.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install wavespeed-nanobanana2
安装完成后，直接呼叫该 Skill 的名称或使用 /wavespeed-nanobanana2 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.3

Wavespeed NanoBanana2 1.0.3 - Major update: Rewrote and expanded skill for international (English) use. - Added index.js implementation and npm packaging files. - Now provides text-to-image generation with customizable resolution (1k, 2k, 4k) and image format (PNG, JPG, WebP). - Introduced comprehensive error handling and parameter validation. - Setup now requires setting your Wavespeed API key via environment variable.

v1.0.2

- 版本号从 1.0.0 升级到 1.0.2。 - 更新了元数据文件（_meta.json、skill.json）以匹配新版本。 - SKILL.md 内容结构与核心描述保持一致，无新增功能或修改，仅修订版本号。

v1.0.1

- Added _meta.json file with metadata for the skill. - Updated skill.json with configuration or metadata changes. - No changes to core skill functionality or documentation.

v1.0.0

Initial release of Wavespeed NanoBanana2 - Adds support for professional text-to-image and image-to-image generation using the Wavespeed AI NanoBanana-2 model. - Supports multiple styles, including cyberpunk, watercolor, anime, and photorealistic. - Allows for detailed customization with prompts, reference images, resolution, and style options. - Includes user instructions, parameter explanations, and usage examples. - API key configuration required; content safety policies enforced.

元数据

Slug wavespeed-nanobanana2

版本 1.0.3

许可证 —

累计安装 2

当前安装数 2

历史版本数 4

常见问题

Wavespeed Nanobanana2 是什么？

调用Wavespeed AI的NanoBanana-2模型实现文生图、图生图的专业图像创作技能. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 478 次。

如何安装 Wavespeed Nanobanana2？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install wavespeed-nanobanana2」即可一键安装，无需额外配置。

Wavespeed Nanobanana2 是免费的吗？

是的，Wavespeed Nanobanana2 完全免费（开源免费），可自由下载、安装和使用。

Wavespeed Nanobanana2 支持哪些平台？

Wavespeed Nanobanana2 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Wavespeed Nanobanana2？

由 reroc8（@reroc8）开发并维护，当前版本 v1.0.3。