Security Audit

nano-banana-pro

github.com/intellectronica/agent-skills

AI SkillCommit 326f2466f4b7

CRITICAL

Scanned 9 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

nano-banana-pro received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 12 findings: 5 critical, 6 high, 0 medium, and 0 low severity. Key findings include File read + network send exfiltration, Sensitive path access: AI agent config, Arbitrary File Write via --filename parameter.

The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. The manifest_analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 11, 2026 (commit 326f2466). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Network Access

4 findings

Filesystem Write

10 findings

Shell Execution

6 findings

Dynamic Code

1 finding

Excessive Permissions

8 findings

Security Findings12

Severity	Finding	Layer	Location
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-9c6s0xm_/repo/skills/nano-banana-pro/SKILL.md:12
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-9c6s0xm_/repo/skills/nano-banana-pro/SKILL.md:17
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-9c6s0xm_/repo/skills/nano-banana-pro/SKILL.md:87
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-9c6s0xm_/repo/skills/nano-banana-pro/SKILL.md:92
CRITICAL	Arbitrary File Write via --filename parameter The `args.filename` parameter, used to specify the output path for the generated image, is directly used to construct a `Path` object and save the image without any path sanitization. An attacker can use path traversal sequences (e.g., `../../../../tmp/malicious.png` or `/etc/cron.d/malicious_job`) to write files to arbitrary locations on the filesystem. This could lead to data corruption, denial of service, or even remote code execution if a malicious file is written to a sensitive system location that is later executed. Implement strict path sanitization for `args.filename`. Ensure the filename does not contain path separators (`/`, `\`) or path traversal sequences (`..`). The output file should always be saved within a designated, secure output directory, ideally one that is user-specific and sandboxed. For example, only allow saving to the current working directory or a specific `output/` subdirectory, and sanitize the base filename part.	Unknown	scripts/generate_image.py:61
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-9c6s0xm_/repo/skills/nano-banana-pro/SKILL.md:12
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-9c6s0xm_/repo/skills/nano-banana-pro/SKILL.md:17
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-9c6s0xm_/repo/skills/nano-banana-pro/SKILL.md:87
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-9c6s0xm_/repo/skills/nano-banana-pro/SKILL.md:92
HIGH	Arbitrary File Read via --input-image parameter The `--input-image` parameter allows the skill to open and attempt to process any file on the filesystem using `PILImage.open()`. An attacker can specify a path to a sensitive file (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, `.env` files) as the `--input-image` argument. While `PILImage.open()` might fail for non-image files, the attempt to open and read the file occurs, potentially revealing file existence or even partial content if `PILImage` attempts to parse it. This constitutes a data exfiltration vector. Validate the input image path to ensure it's within an allowed directory (e.g., a temporary directory or a user-specific sandbox), or restrict file access to only files explicitly provided by the user through a secure file upload mechanism. Alternatively, implement strict path sanitization to prevent reading outside designated directories.	Unknown	scripts/generate_image.py:66
HIGH	LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 5 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion.	Unknown	(sanity check)
INFO	Unpinned dependencies The dependencies `google-genai` and `pillow` are pinned to major versions (`>=1.0.0`, `>=10.0.0`) but not to specific minor or patch versions. This means that future installations could pull in newer, potentially incompatible or vulnerable versions of these libraries without explicit review. While not a direct vulnerability, it increases the risk of unexpected behavior or security regressions if a new version introduces a bug or vulnerability. Pin dependencies to exact versions (e.g., `google-genai==1.2.3`, `pillow==10.1.0`) or at least to minor versions (e.g., `google-genai~=1.0`, `pillow~=10.0`) to ensure deterministic builds and reduce the risk of unexpected changes.	Unknown	scripts/generate_image.py:4

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/36b6b69ce9a3e91c.svg)](https://skillshield.io/report/36b6b69ce9a3e91c)