Generate or edit images using Google Gemini API via nanobanana. Triggers: "nanobanana", "generate image", "create image", "edit image", "AI drawing", "图片生成",...
Security Analysis
medium confidenceThe skill mostly does what it says (generate/edit images via Google Gemini) but the package metadata omits the required GEMINI_API_KEY and there are small mismatches that the installer/maintainer should fix before trusting it.
The skill's code and SKILL.md both implement image generation/editing against Google Gemini, which matches the name/description. However the registry metadata lists no required environment variables while SKILL.md and the script require GEMINI_API_KEY (loaded from ~/.nanobanana.env or env). That metadata omission is an incoherence.
Runtime instructions are focused: collect a prompt/inputs, run the included nanobanana.py, and return the saved image path. The script only reads GEMINI_API_KEY (from env/dotenv) and local input files, and writes the output image; it does not reference unrelated system credentials or external endpoints beyond the Google GenAI client.
There is no install spec (instruction-only skill) and requirements.txt is standard. The SKILL.md suggests using pip to install listed packages; nothing is downloaded from untrusted URLs and there is no archive extraction.
Only GEMINI_API_KEY is needed and that is appropriate for a Gemini client. The concern is that the registry metadata does not declare this required credential, so users may not be warned. The script reads dotenv from ~/.nanobanana.env which could contain secrets — expected for this purpose but should be clearly documented in the skill metadata.
The skill is not always-enabled, does not request system-wide config changes, and only writes output image files. It does not modify other skills or agent settings.
Guidance
This skill appears to implement an image-generation wrapper for Google Gemini, but the registry metadata failed to declare the required GEMINI_API_KEY. Before installing: (1) confirm the GEMINI_API_KEY requirement is added to the skill metadata or that you understand you must set it in ~/.nanobanana.env or your environment; (2) only use a dedicated API key with restricted quota/permissions; (3) review the included nanobanana.py yourself — it will read local input image files and write output images and uses the google-genai client; (4) install dependencies in a controlled environment (virtualenv) rather than system-wide; and (5) be cautious because the skill author/source is unknown and there is no homepage — prefer skills from known publishers or require the author to fix the metadata mismatch before trusting automatic invocation.
Latest Release
v0.1.0
Initial release of nanobanana-skill: - Adds integration with Google Gemini API for image generation and editing via the nanobanana tool. - Supports user-defined prompts, aspect ratios, resolutions, and model selection. - Provides command-line workflow for both generation and editing of images, including support for multiple input and output options. - Includes setup instructions, supported parameter values, sample usage commands, error troubleshooting, and best practice tips.
More by @feiskyer
Published by @feiskyer on ClawHub
