Generate/edit images with Nano Banana Pro (Gemini 3 Pro Image). Use for image create/modify requests incl. edits. Supports text-to-image + image-to-image; 1K/2K/4K; use --input-image.
Security Analysis
medium confidenceThe skill appears to implement an image-generation tool for Gemini as described, but the registry metadata omits required items (an API key and the 'uv' runner) and there are small inconsistencies that you should resolve before trusting it.
Name and description match the included script: it calls Google's GenAI client to generate/edit images and uses Pillow to save PNGs. However, the registry metadata claims no required env vars or binaries while the script and SKILL.md clearly depend on an API key (GEMINI_API_KEY or --api-key) and on the 'uv' runner; that mismatch is inconsistent and should be corrected.
SKILL.md instructions are narrowly focused on image generation/editing: how to run the script, resolution mapping, filename conventions, and preflight checks. The instructions and script do not request unrelated files, credentials, or send data to unexpected endpoints beyond the GenAI client. They do instruct saving output into the user's current working directory (explicit) which is expected for this use case.
No install/spec is provided (instruction-only with an included Python script). The script lists dependencies (google-genai, pillow) in comments but there is no automated install step; this lowers installer risk but means the environment must separately install those packages. No downloads from unknown URLs are present.
The script requires an API key (GEMINI_API_KEY or --api-key) but the skill metadata does not declare any required environment variables or primary credential. SKILL.md also expects the 'uv' binary to be present but the registry lists no required binaries. These omissions are an incoherence that could mislead users about what secrets/integations are needed.
The skill does not request always:true and does not modify other skills or global settings. It writes generated images to the current working directory (expected behavior) but has no extra persistence or elevated privileges beyond normal file writes.
Guidance
This skill's behavior (calling Google GenAI and saving PNGs) matches its description, but the registry metadata omits two important requirements: - The Python script requires a Gemini API key (GEMINI_API_KEY or --api-key). The skill metadata should declare this; verify you are comfortable providing such a key and that it is scoped/ephemeral if possible. - The SKILL.md instructs running the script with the 'uv' runner, but the registry lists no required binaries. Confirm you have a trustworthy 'uv' binary and understand how it runs the script. Before installing or using the skill: - Ask the publisher for a homepage/source and request corrected metadata that lists GEMINI_API_KEY and the 'uv' runtime requirement. - Inspect or run the script in a sandboxed environment first. The code is short and readable, but it will send prompts and any provided input images to the Google GenAI client and will create files in the current working directory. - Avoid exposing highly privileged credentials. Prefer passing a limited-scope or ephemeral API key via the --api-key argument rather than relying on long-lived environment variables when possible. - Ensure required Python dependencies (google-genai, pillow) are installed from official sources before running. Given the metadata omissions, treat this as suspicious until the origin and declared requirements are clarified.
Latest Release
v1.0.1
More by @steipete
Published by @steipete on ClawHub
