by 安全扫描
OpenClaw
可疑
high confidenceThe skill appears to implement a Wavespeed text-to-image integration (coherent), but the package contains several inconsistencies and risky artifacts — notably a hardcoded API key and a top-level test that runs on load — that make it suspicious and require cleanup before use.
评估建议
Do not install or enable this skill until the issues are fixed. Specific actions to take or request from the author:
- Remove the top-level test block (the anonymous async function at the end of index.js). That code runs on module load and triggers an outbound API call immediately.
- Remove any hardcoded API key from the repository. If the embedded key is real, revoke it immediately (treat it as compromised).
- Fix registry metadata and SKILL.md to consistently declare WAVESPEED_API_KEY as a req...详细分析 ▾
ℹ 用途与能力
Name/description and most files indicate a text→image skill for Wavespeed and the code actually calls a Wavespeed API endpoint — this is coherent. However SKILL.md advertises parameters (resolution, output_format) that index.js does not implement, and the registry metadata incorrectly lists "Required env vars: none" despite the skill requiring WAVESPEED_API_KEY.
⚠ 指令范围
SKILL.md is scoped to generating images and using WAVESPEED_API_KEY. The index.js file, however, contains a top-level immediately-invoked test block that will execute when the module is loaded, performing an API call using a hardcoded API key and logging results. That means simply loading/installing the skill triggers network activity and use of an embedded credential — outside the normal runtime use described in SKILL.md.
ℹ 安装机制
There is no install spec (instruction-only is lower risk), but the package contains code files (index.js and package.json with axios) so installing or loading will write/execute code. The included dependencies are normal (axios) and pulled from npm; no remote downloads or unusual install hosts are present.
⚠ 凭证需求
The skill correctly requires WAVESPEED_API_KEY for the API, which is proportionate. But the package includes a hardcoded API key inside index.js testContext — this is a sensitive secret embedded in source. Also registry metadata claims no required env vars while SKILL.md and skill.json list WAVESPEED_API_KEY, an inconsistency worth resolving.
✓ 持久化与权限
The skill does not request always:true and does not declare elevated platform-wide privileges. Permissions list network access which matches its purpose. The main concern is the load-time test behavior, not persistence/privilege escalation.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.32026/3/5
Wavespeed NanoBanana2 1.0.3 - Major update: Rewrote and expanded skill for international (English) use. - Added index.js implementation and npm packaging files. - Now provides text-to-image generation with customizable resolution (1k, 2k, 4k) and image format (PNG, JPG, WebP). - Introduced comprehensive error handling and parameter validation. - Setup now requires setting your Wavespeed API key via environment variable.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install wavespeed-nanobanana2
镜像加速npx clawhub@latest install wavespeed-nanobanana2 --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制