Trust Assessment
nano-banana-pro received a trust score of 50/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 3 high, 1 medium, and 1 low severity. Key findings include Sensitive path access: AI agent config, Node lockfile missing, Unsanitized output filename allows path traversal.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/autogame-17/nano-banana-pro-multi-image/SKILL.md:23 | |
| HIGH | Unsanitized output filename allows path traversal The skill constructs an output file path using `args.filename` directly from user input without sanitization. An attacker can provide a path like `../../../../etc/malicious.png` to write files to arbitrary locations on the file system, potentially overwriting critical system files or creating new ones in sensitive directories. Sanitize the `args.filename` to ensure it only contains a base filename or is restricted to a specific output directory. For example, use `Path(output_dir) / Path(args.filename).name` to prevent path traversal, or implement robust path validation. | LLM | scripts/generate_image.py:100 | |
| HIGH | Unsanitized input image paths allow arbitrary file read The skill accepts multiple `--input-image` arguments, which are then used directly with `PILImage.open()`. An attacker can provide paths like `../../../../etc/passwd` to attempt to read arbitrary files from the file system. While `PILImage.open()` might fail on non-image files, it still attempts to access them, which can be used for reconnaissance or to trigger errors that leak information. Sanitize `img_path` to ensure it refers to files only within an allowed directory (e.g., a temporary directory or a user-specific input directory). Implement strict validation to prevent path traversal, for example, by resolving the path and checking if it's within an allowed base directory. | LLM | scripts/generate_image.py:118 | |
| MEDIUM | Broad .env file loading from parent directories The `env_loader.py` script attempts to load `.env` files from the current directory and all parent directories up to the root. This broad search path could lead to unintended environment variable injection if a malicious `.env` file is present in a directory higher up the file system hierarchy than expected. While `generate_image.py`'s `get_api_key` has a more targeted `.env` search for `GEMINI_API_KEY`, the `env_loader.py` is imported and executed unconditionally, potentially setting other environment variables. Restrict `.env` loading to a specific, known directory (e.g., the skill's root directory) or explicitly validate the source of the `.env` file. For skills, it's generally more secure to rely on environment variables provided by the host system or explicit command-line arguments rather than broad `.env` file discovery. | LLM | scripts/env_loader.py:20 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/autogame-17/nano-banana-pro-multi-image/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/7b6652bab88f0447)
Powered by SkillShield