Trust Assessment
nano-banana-pro received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 4 critical, 5 high, 1 medium, and 0 low severity. Key findings include File read + network send exfiltration, Sensitive path access: AI agent config, Potential Command Injection via User-Controlled Arguments.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 9b0e00ad). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | plugins/nano-banana-pro/skills/SKILL.md:12 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | plugins/nano-banana-pro/skills/SKILL.md:17 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | plugins/nano-banana-pro/skills/SKILL.md:87 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | plugins/nano-banana-pro/skills/SKILL.md:92 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | plugins/nano-banana-pro/skills/SKILL.md:12 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | plugins/nano-banana-pro/skills/SKILL.md:17 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | plugins/nano-banana-pro/skills/SKILL.md:87 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | plugins/nano-banana-pro/skills/SKILL.md:92 | |
| HIGH | Potential Command Injection via User-Controlled Arguments The skill documentation instructs the agent to execute a Python script (`generate_image.py`) using `uv run`, passing user-controlled input directly to command-line arguments such as `--prompt`, `--filename`, and `--input-image`. If the `generate_image.py` script does not rigorously sanitize these arguments before using them in internal shell commands (e.g., `subprocess.run(..., shell=True)`), a malicious user could inject arbitrary shell commands. This could lead to arbitrary code execution, data exfiltration, or system compromise. Examples of dangerous inputs include path traversal in `--filename` or `--input-image`, or shell metacharacters in `--prompt`. The `generate_image.py` script must rigorously sanitize all user-provided arguments (`--prompt`, `--filename`, `--input-image`) to prevent command injection and path traversal. When executing external commands from Python, avoid `shell=True` and pass arguments as a list to `subprocess.run`. For filenames, validate paths to ensure they are within expected directories and do not contain traversal sequences (e.g., `..`). | Static | SKILL.md:10 | |
| MEDIUM | Credential Exposure via Command-Line Argument The skill documentation explicitly shows passing the API key via a command-line argument (`--api-key KEY`). Command-line arguments are often visible in system process lists (`ps aux`), shell history, and system logs, making the API key susceptible to exposure. While the skill also supports using the `GEMINI_API_KEY` environment variable (which is a more secure method), the instruction to use `--api-key` if the 'user provided key in chat' encourages an insecure practice. Prioritize the use of environment variables (e.g., `GEMINI_API_KEY`) for sensitive credentials. If a user provides a key in chat, the agent should be instructed to set it as an environment variable for the duration of the command execution rather than passing it as a command-line argument. Avoid logging commands that contain sensitive information. | Static | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/3959439575ed261a)
Powered by SkillShield