Is duffycoder/nano-banana-pro-openrouter safe?

https://github.com/openclaw/skills/tree/main/skills/duffycoder/nano-banana-pro-openrouter

82
SAFE

nano-banana-pro-openrouter is a straightforward OpenRouter image generation wrapper with no evidence of malicious intent, prompt injection, or active data exfiltration. The skill's primary security concerns are design-level: API credentials transit the LLM context window, are exposed on the CLI during script execution, and the API base URL is fully configurable without domain pinning — creating a credential-misdirection vector if the skill's .env is ever tampered with. Canary files were untouched, the install was clean, and the script does exactly what the description claims.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (8)

MEDIUM API key exposed as CLI argument -18

The SKILL.md workflow and script design pass the OpenRouter API key via --api-key on the command line. On Linux, any process running as the same or a privileged user can read /proc//cmdline while the script is executing, leaking the key. A safer pattern would be to write the key to a temp file and pass it via file descriptor or environment variable.

MEDIUM Configurable API base URL with no domain pinning -10

OPENROUTER_BASE_URL is loaded from .env files without any validation that the URL points to openrouter.ai. If this variable is tampered with (e.g., through a compromised .env delivered by another skill), the API key and image prompts are transmitted to an arbitrary HTTPS endpoint. The SKILL.md explicitly instructs OpenClaw to pass this URL to the script.

MEDIUM Agent instructed to read .env and pass credentials into LLM context -15

The OpenClaw Chat Execution Rules section instructs the agent to use its read tool to open the skill .env file, extract OPENROUTER_API_KEY and OPENROUTER_BASE_URL, and pass them explicitly on the command line. This means raw credential values transit the LLM's context window and conversation history, which is logged by the platform and may appear in completions.

LOW eval used in .env parser (mitigated by key validation) -10

The load_env_file function uses eval to test if a shell variable is already set. Although a case guard restricts keys to [A-Za-z0-9_] with no leading digit — preventing injection through key names — any future regression in that validation would create a code injection path from an attacker-controlled .env file.

LOW curl fetches from attacker-controllable URLs in API response -10

The script uses awk to extract image_url values from the raw API JSON and passes them to curl without URL scheme or hostname validation. A compromised or spoofed API endpoint could inject an http:// or file:// URL to probe internal network services or read local files.

LOW Script loads .env from current working directory -6

load_env_file "$PWD/.env" is called unconditionally. If the agent's working directory at invocation time contains a .env that defines OPENROUTER_BASE_URL, the script silently overrides the configured endpoint without user visibility.

INFO Clean install with no supply-chain vectors 0

No gitmodules, gitattributes smudge filters, githooks, or symlinks were found. The monorepo clone used depth=1 and sparse checkout. All three installed files match expected hashes.

INFO No canary file exfiltration — monitoring accesses are from audit harness 0

Two sets of OPEN+ACCESS events on sensitive canary files (.env, id_rsa, .aws/credentials, .npmrc, docker config, gcloud creds) occurred at audit timestamps 1771933816 and 1771933840. Both sets correlate with sudo/monitoring bootstrap and teardown, not with the skill install or any script from the skill.