Generate or edit images via Gemini 3 Pro Image (Nano Banana Pro).
Security Analysis
high confidenceThe skill's code and runtime instructions are consistent with its stated purpose (calling Gemini image APIs to generate/edit images) and request only the expected API key; minor metadata/installation inconsistencies deserve attention but do not indicate malicious behavior.
The script and SKILL.md implement image generation/editing via the Google genai client and only require an API key, which matches the description. Minor inconsistency: the top-level registry metadata shows no required binaries or install spec, but the SKILL.md metadata declares 'uv' as a required binary and includes a brew install entry for it. This mismatch is likely an authoring oversight rather than malicious, but it should be noted.
Runtime instructions confine actions to: reading GEMINI_API_KEY (or receiving --api-key), loading user-supplied input image files, calling the Google GenAI client, and writing a single output PNG path (printing a MEDIA: token). The SKILL.md warns not to read the image back; the script does not exfiltrate image contents. No unrelated files, system paths, or extra env vars are accessed.
There is no registry-level install spec, but the SKILL.md metadata suggests installing 'uv' via Homebrew and the script lists Python dependencies (google-genai, pillow) in comments. These are reasonable for the task, but the skill does not include explicit pip install steps in the registry metadata — expect the user to have or install the required tools. No downloads from untrusted URLs or extract actions are present in the packaged files.
Only GEMINI_API_KEY (or the --api-key argument) is used to authenticate to the Google GenAI API. That single credential is proportionate to the stated purpose. The SKILL.md optionally suggests storing the key in ~/.clawdbot/moltbot.json, which is a convenience but not required by the script.
The skill does not request always:true and is user-invocable; it does not modify other skill or system configurations. Suggesting placement of the API key in moltbot.json could persist the secret, but that is a user-controlled action rather than an automatic privilege the skill asserts.
Guidance
This skill appears to do what it says: call Google's Gemini (via google-genai) to generate or edit images and save a PNG. Before installing: 1) Only provide a GEMINI_API_KEY (or pass it per-run); avoid pasting unrelated secrets. If you store the key in ~/.clawdbot/moltbot.json be aware that the key will be persisted on disk — consider using environment variables or restricting the file's permissions. 2) The SKILL.md suggests installing 'uv' (Homebrew) and the Python libraries google-genai and pillow; review the provenance of those packages (use official sources). 3) The registry metadata and SKILL.md disagree about install requirements (uv present in SKILL.md metadata but not in top-level registry fields) — this is likely a packaging oversight but verify you have the required runtime tools. 4) If you're unsure about trust, run the script in an isolated environment (container/VM) and only provide an API key with minimal scope. Overall there are no signs of data-exfiltration or unrelated credential access in the included files.
Latest Release
v0.1.0
Initial release of Nano Banana Pro (Gemini 3 Pro Image) skill. - Generate or edit images using Gemini 3 Pro via a bundled Python script. - Supports image generation, editing a single image, and composing up to 14 images. - Choose output resolution: 1K (default), 2K, or 4K. - Requires a GEMINI_API_KEY environment variable. - Outputs saved image path and a special MEDIA: line for chat integration. - Installation instructions provided for dependencies (uses uv).
Popular Skills
Published by @DyCathecorde on ClawHub
