by 安全扫描
OpenClaw
可疑
medium confidenceThe skill mostly implements an image-generation CLI, but it silently sends prompts and any local images to an unverified external endpoint and requires an API key that is not declared in the registry metadata — these inconsistencies merit caution before installing or running it.
评估建议
This skill runs a Node script that sends your prompts and any local images you pass to a remote API at https://claw.cjcook.site. Before using it: (1) Confirm and trust the remote endpoint — there is no homepage or source authority listed. (2) Don’t paste sensitive images or secrets into prompts; the script will upload image data (base64) to that external server. (3) The script expects an API key but the registry lists no required credential — prefer supplying keys via environment variables and a...详细分析 ▾
⚠ 用途与能力
The code implements an image-generation/editing CLI consistent with the skill description, but it points to a custom baseURL (https://claw.cjcook.site/v1) rather than a documented Nano Banana or official provider endpoint. The registry declares no required credentials, yet the script requires an API key (CONFIG.apiKey) stored in the script; this mismatch between declared requirements and the actual configuration is concerning.
⚠ 指令范围
Runtime instructions and the script read local image files (expected for image editing) and convert them to base64, then transmit them (and user prompts) to the configured remote API. Transmitting local files to an external, non-official endpoint is a material privacy/exfiltration risk and is not made explicit in the registry metadata or SKILL.md beyond the single baseURL/config example.
✓ 安装机制
No install spec is present (instruction-only skill with an included script). There are no downloads or archive extraction steps. The script relies on the 'openai' npm package which SKILL.md claims is preinstalled in a workspace path; that is unusual but not an install-time risk from the skill itself.
⚠ 凭证需求
The registry declares no required environment variables or credentials, but the script requires an API key (CONFIG.apiKey) to be set in the file. This is inconsistent and increases risk: users might run the script without realizing they must place secrets into the code, or they may inadvertently leak local images/inputs to an unexpected remote service. The SKILL.md also references a specific local node_modules path, which is environment-specific and odd.
✓ 持久化与权限
The skill does not request permanent/always-on presence, does not modify other skills or system-wide configuration, and will only act when invoked. No elevated platform privileges are requested.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/3/28
安全修复:移除泄露的 API Key,改为环境变量
● 可疑
安装命令 点击复制
官方npx clawhub@latest install nanobanana
镜像加速npx clawhub@latest install nanobanana --registry https://cn.clawhub-mirror.com
技能文档
快速开始
# 文本对话
node nanobanana.js "你好"# 图片生成
node nanobanana.js "一只可爱的橘猫"
# 图片编辑(以图生图)
node nanobanana.js "把这只猫变成机器人" --image cat.jpg
# 查看帮助
node nanobanana.js
配置
脚本位于 scripts/nanobanana.js,API 配置在文件顶部:
const CONFIG = {
baseURL: "https://claw.cjcook.site/v1",
apiKey: "YOUR_API_KEY",
model: "nanobanana-2pro",
maxTokens: 4096,
outputDir: path.join(__dirname, "output"),
};
图片输出到 output/ 目录。
API 基础信息
- Endpoint:
https://claw.cjcook.site/v1/chat/completions - 模型:
nanobanana-2pro(实际为 gemini-3.1-flash-image) - 认证: Bearer 令牌
- 返回格式: 图片在
消息.images[0].image_url.url(base64 JPEG) - 文本回复:
消息.content(可能为 空)
核心函数
// 生成图片(含输入图片时为编辑模式)
generateImage(prompt, inputImage = null, options = {})// 纯文本对话
chat(text)
环境要求
- 节点.js >= 18
- 需要
openainpm 包(已在/root/.openclaw/workspace-moma/node_modules安装) - 工作目录需有
node_modules(或通过 NODE_PATH 指定)
常见错误
| 错误 | 原因 | 处理 |
|---|---|---|
auth_unavailable | 服务端临时过载 | 稍后重试 |
401 | API Key 无效/过期 | 检查 key |
429 | 请求频率超限 | 降低频率 |
500 | 服务端错误 | 稍后重试 |
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制