nanobanana-image-generation Security Report — Trusted | ClawSafe

5 /100

nanobanana-image-generation

Gemini-compatible image generation and scientific figure plotting

This is a legitimate AI skill for Gemini-compatible image generation and scientific figure plotting. The pre-scan flagged base64 encoding as critical, but this is standard API behavior for decoding returned images. Placeholder API key examples in documentation are not actual credentials.

Skill Namenanobanana-image-generation

Duration31.8s

Enginepi

✓

Safe to install

This skill is safe to use. No security concerns identified.

Findings 2 items

Severity	Finding	Location
Info	Pre-scan IOC: base64 encoding flagged as critical Doc Mismatch The pre-scan flagged Buffer.from(data, 'base64') at line 330 as suspicious base64 encoding. This is legitimate code that decodes base64 image responses from the Gemini API. It is not obfuscation or malicious encoding. `fs.writeFileSync(filePath, Buffer.from(inlineData.data, "base64"));` → This is expected API behavior, not a security issue.	`scripts/generate_image.js:330`
Info	Pre-scan IOC: API key placeholders in documentation Doc Mismatch SKILL.md contains examples like 'your-provider-key', 'your_provider_api_key', and 'your_zzz_api_key'. These are documented placeholder values for configuration examples, not actual credentials. `export NANOBANANA_API_KEY="your-provider-key"` → These are documentation examples, not hardcoded credentials.	`SKILL.md:59`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`WRITE`	✓ Aligned	Local file writes for output images
Network	`READ`	`READ`	✓ Aligned	POST to Gemini API endpoint only
Shell	`NONE`	`NONE`	—	No subprocess or shell execution in any script
Environment	`READ`	`READ`	✓ Aligned	Only reads NANOBANANA_* prefixed env vars

1 Critical 3 High 5 findings

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

Buffer.from(inlineData.data, "base64"

scripts/generate_image.js:330

🔑

High API Key 疑似硬编码凭证

API_KEY="your-provider-key"

SKILL.md:59

🔑

High API Key 疑似硬编码凭证

api_key="your_provider_api_key"

SKILL.md:217

🔑

High API Key 疑似硬编码凭证

api_key="your_zzz_api_key"

SKILL.md:222

🔗

Medium External URL 外部 URL

https://api.zhizengzeng.com/google

SKILL.md:67

File Tree

15 files · 97.8 KB · 2602 lines

Markdown 8f · 1264L Python 4f · 965L JavaScript 1f · 348L JSON 1f · 18L YAML 1f · 7L

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 7L · 361 B

├─ ▾ 📁 references

│ ├─ 📝 api-reference.md Markdown 121L · 3.0 KB

│ ├─ 📝 materials-science-figure-template.md Markdown 167L · 9.9 KB

│ ├─ 📋 materials-science-figure-templates.json JSON 18L · 9.6 KB

│ ├─ 📝 natural-language-plot-workflow.md Markdown 148L · 3.6 KB

│ ├─ 📝 prompt-templates.md Markdown 46L · 2.4 KB

│ ├─ 📝 publication-chart-patterns.md Markdown 99L · 2.4 KB

│ ├─ 📝 publication-figure-design.md Markdown 81L · 2.4 KB

│ └─ 📝 publication-plot-api.md Markdown 254L · 4.8 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 build_materials_figure_prompt.py Python 71L · 2.4 KB

│ ├─ 🐍 build_plot_spec.py Python 198L · 6.2 KB

│ ├─ 📜 generate_image.js JavaScript 348L · 9.4 KB

│ ├─ 🐍 generate_image.py Python 306L · 10.5 KB

│ └─ 🐍 plot_publication_figure.py Python 390L · 13.4 KB

└─ 📝 SKILL.md Markdown 348L · 17.4 KB

Security Positives

✓ HTTPS enforcement on all API endpoints

✓ Third-party endpoint requires explicit --allow-third-party flag

✓ No shell execution or subprocess usage

✓ No credential exfiltration or data theft patterns

✓ Plot mode is fully local with no network access

✓ API keys can be stored in files to avoid command history exposure

✓ Scripts use standard library only (no external dependencies with supply chain risk)

✓ Clear separation between image mode (network) and plot mode (local)

Scan Report

Findings 2 items

File Tree

Security Positives