Trust Assessment
nano-banana-2 received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via user-controlled arguments, Potential Path Traversal via user-controlled file paths, Potential Data Exfiltration via input image paths.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 9b0e00ad). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via user-controlled arguments The skill's usage instructions describe executing a Python script (`generate_image.py`) via `uv run` with several user-controlled arguments, including `--prompt`, `--filename`, and `--input-image`. If the `generate_image.py` script does not properly sanitize these inputs before using them in shell commands (e.g., `subprocess.run(..., shell=True)`), a malicious user could inject arbitrary commands, leading to remote code execution. The `generate_image.py` script must strictly validate and sanitize all user-provided arguments. Avoid using `shell=True` in `subprocess.run` calls. Instead, pass arguments as a list to prevent shell interpretation. For file paths, implement robust path validation to prevent path traversal. | LLM | SKILL.md:12 | |
| HIGH | Potential Path Traversal via user-controlled file paths The skill allows users to specify input and output file paths via `--input-image` and `--filename` arguments. Without proper validation and sanitization of these paths within the `generate_image.py` script, an attacker could use path traversal sequences (e.g., `../../`) to read sensitive files from arbitrary locations on the file system (via `--input-image`) or write malicious files to unintended directories (via `--filename`). The `generate_image.py` script must sanitize all user-provided file paths. Use `os.path.abspath` and `os.path.commonpath` or `pathlib.Path.resolve()` to ensure that all resolved paths are strictly confined to an allowed base directory (e.g., the user's current working directory or a designated temporary directory). Reject any paths that attempt to traverse outside this allowed scope. | LLM | SKILL.md:12 | |
| MEDIUM | Potential Data Exfiltration via input image paths The skill explicitly allows providing multiple local files as input images (up to 14 via `--input-image`). While the stated purpose is for image generation, reading arbitrary local files from the user's system introduces a data exfiltration risk. If the `generate_image.py` script or the underlying image generation API were compromised or misused, the content of these local files could potentially be exfiltrated to an unauthorized third party. Ensure the `generate_image.py` script strictly validates the file types of input images to prevent reading non-image files. Implement robust logging for all file access. The agent should explicitly confirm with the user before sending the content of local files to any external API, especially if the API's data handling policies are not fully transparent. | LLM | SKILL.md:18 |
Scan History
Embed Code
[](https://skillshield.io/report/fa6433a7e8105a97)
Powered by SkillShield