Trust Assessment
nano-banana-pro received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 11 findings: 4 critical, 6 high, 0 medium, and 0 low severity. Key findings include File read + network send exfiltration, Sensitive path access: AI agent config, Arbitrary File Read via --input-image.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 9b0e00ad). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/nano-banana-pro/SKILL.md:12 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/nano-banana-pro/SKILL.md:17 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/nano-banana-pro/SKILL.md:87 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/nano-banana-pro/SKILL.md:92 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/nano-banana-pro/SKILL.md:12 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/nano-banana-pro/SKILL.md:17 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/nano-banana-pro/SKILL.md:87 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/nano-banana-pro/SKILL.md:92 | |
| HIGH | Arbitrary File Read via --input-image The script uses `PILImage.open(args.input_image)` to load an image for editing. The `args.input_image` parameter is directly taken from user input without validation or sanitization. This allows an attacker to specify an arbitrary file path on the system, potentially leading to the reading of sensitive files (e.g., `/etc/passwd`, configuration files). While PIL might not successfully parse non-image files, the act of opening and reading the file's contents still constitutes a data exfiltration risk. Implement strict validation for the `--input-image` argument. Ensure the path is within an allowed directory (e.g., the current working directory or a designated temporary directory) and/or verify the file extension and magic bytes to confirm it's an actual image file before attempting to open it. Disallow absolute paths and directory traversal (`../`). | Static | scripts/generate_image.py:68 | |
| HIGH | Arbitrary File Write via --filename The script constructs the output path using `output_path = Path(args.filename)` and then saves the generated image to `str(output_path)`. The `args.filename` parameter is directly taken from user input without validation. This allows an attacker to specify an arbitrary file path, including absolute paths or paths containing directory traversal (`../`), potentially leading to overwriting existing files or writing new files to unintended locations on the filesystem. The `output_path.parent.mkdir()` call further facilitates this by creating parent directories for arbitrary paths. Implement strict validation for the `--filename` argument. Ensure the filename is a simple base name or a path relative to the current working directory without directory traversal (`../`) or absolute paths. A common approach is to only allow base filenames and construct the full path using `Path.cwd() / args.filename`. | Static | scripts/generate_image.py:60 | |
| INFO | Unpinned or Loosely Pinned Dependencies The skill's dependencies are pinned to major versions (`>=1.0.0`, `>=10.0.0`). While this ensures a minimum version, it allows for automatic updates to newer minor or patch versions. This can introduce unexpected changes, bugs, or even vulnerabilities if a dependency releases a malicious update. For maximum security and reproducibility, dependencies should be pinned to exact versions. Pin dependencies to exact versions (e.g., `google-genai==1.0.0`, `pillow==10.0.0`) to ensure deterministic builds and prevent unexpected changes from minor/patch updates. Regularly review and manually update dependencies to incorporate necessary security fixes. | Static | scripts/generate_image.py:4 |
Scan History
Embed Code
[](https://skillshield.io/report/36b6b69ce9a3e91c)
Powered by SkillShield