by 安全扫描
OpenClaw
安全
high confidenceThe skill is internally consistent with its stated purpose: a small Node.js CLI wrapper that calls a nanobanana-plus HTTP service, requires only node, and does not request unrelated credentials or persist secrets.
评估建议
This skill is a small CLI wrapper that expects a running nanobanana-plus HTTP service and Node.js. Before installing: ensure you trust the base URL you provide (the script will POST prompts and tokens there), pass private tokens only via --token (the skill intentionally does not persist them), and be aware generated images are saved to disk and the script prints file paths (MEDIA:...) which chat platforms may auto-attach. Also verify you want Homebrew to install Node on your system and that the ...详细分析 ▾
✓ 用途与能力
Name/description match the included files: the package is a Node CLI that sends HTTP requests to a nanobanana-plus service. Required binary (node) and the brew install of node are proportional and expected.
ℹ 指令范围
Runtime instructions and the script stay within scope: they call health/models/generate endpoints on the configured base-url, accept an explicit --token (not read from env or disk), and write returned images to local files. Note: the script prints MEDIA: lines and file paths (intended for chat provider attachments), which could expose local file paths to integrated chat providers — this is documented in SKILL.md and appears intentional.
✓ 安装机制
Install spec is a single brew formula for node (official, expected). No downloads from untrusted URLs or archives; risk here is low and proportional to needing Node.js.
✓ 凭证需求
The skill declares no required environment variables or secrets. The script accepts an explicit --token parameter but does not persist it or read other environment variables or local config files — this is consistent with the stated design.
✓ 持久化与权限
Skill does not request permanent presence, does not modify other skills or system configs, and does not persist credentials to disk. It only writes generated image files to user-specified/current directories, which is expected behavior.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.5.32026/3/26
OpenClaw Skill 改为直调 CLI,无需启动 HTTP 服务
● 无害
安装命令 点击复制
官方npx clawhub@latest install nanobanana-plus
镜像加速npx clawhub@latest install nanobanana-plus --registry https://cn.clawhub-mirror.com
技能文档
Use the bundled script to call a running nanobanana-plus HTTP service.
Initialize once with a guided prompt:
node {baseDir}/scripts/nanobanana-plus.mjs init
Or pass the values explicitly:
node {baseDir}/scripts/nanobanana-plus.mjs init \
--base-url "http://localhost:3456" \
--token "your-private-token"
Default service URL:
http://localhost:3456
init does not store credentials on disk. It only prints the exact commands to run next.
Health check:
node {baseDir}/scripts/nanobanana-plus.mjs check --base-url "http://localhost:3456"
List models:
node {baseDir}/scripts/nanobanana-plus.mjs models \
--base-url "http://localhost:3456" \
--token "your-private-token"
Generate one image:
node {baseDir}/scripts/nanobanana-plus.mjs generate \
--base-url "http://localhost:3456" \
--prompt "一只橘猫坐在雨天窗台上" \
--filename "cat-window.png" \
--aspect-ratio "16:9" \
--token "your-private-token"
Generate multiple images:
node {baseDir}/scripts/nanobanana-plus.mjs generate \
--base-url "http://localhost:3456" \
--prompt "cinematic sci-fi alley at night" \
--filename "alley.png" \
--output-count 2 \
--model "gemini-3-pro-image-preview" \
--token "your-private-token"
Notes:
generateworks 带有 local 或 remote nanobanana-加上 services.- skill intentionally requires explicit
--令牌对于 私有 services 代替 的 reading environment variables 或 local 配置 files. 编辑和恢复intentionally omitted 从 ClawHub skill 所以 做 不 发送 local file paths 或 local file contents 在...上 HTTP.- script writes image files locally 和 prints
MEDIA:lines 所以 supported chat providers 可以 auto-attach outputs. - script 否 longer reads tokens 从 environment variables 和 否 longer stores credentials 在...上 disk.
- 使用
init,--令牌, 或--base-url到 control credentials 和 endpoint. - 如果 服务 不 running, 开始 separately 带有
nanobanana-加上 api --port 3456.
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制