Trust Assessment
nano-banana-2 received a trust score of 78/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Arbitrary File Write via Path Traversal, Arbitrary File Read via Path Traversal.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on June 1, 2026 (commit 9b0e00ad). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary File Write via Path Traversal The skill constructs file paths for output images directly from user-provided input (`--filename`) without sanitization. This allows an attacker to use path traversal sequences (e.g., `../../`) to write files to arbitrary locations on the filesystem, potentially overwriting critical system files or placing malicious content in unexpected directories. The `output_path.parent.mkdir` and `image.save` calls will respect these traversal sequences. Sanitize the `args.filename` input to prevent path traversal. Ensure that the resolved path remains within an allowed output directory. A common approach is to resolve the absolute path and then check if it starts with a known, safe base directory, or to disallow path separators in the filename entirely. | Static | scripts/generate_image.py:105 | |
| MEDIUM | Arbitrary File Read via Path Traversal The skill reads input images from user-provided paths (`--input-image`) without sanitization. This allows an attacker to use path traversal sequences (e.g., `../../`) to read arbitrary files from the filesystem. While `PILImage.open` is designed for image files, it could still be used to attempt to read non-image files, potentially leading to information disclosure if the agent is instructed to read sensitive files. Sanitize the `args.input_image` paths to prevent path traversal. Ensure that input image paths are restricted to a designated safe directory or validate that they do not contain path traversal sequences. Implement checks to ensure that only valid image files are opened. | Static | scripts/generate_image.py:113 |
Scan History
Embed Code
[](https://skillshield.io/report/f09a6ade30b5744a)
Powered by SkillShield