Security Audit

nano-banana-pro

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

nano-banana-pro received a trust score of 64/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Sensitive path access: AI agent config, Arbitrary File Read/Write via Path Traversal, User-provided File Content Exfiltrated to Third-Party API.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

85%

Dependency Graph

100%

LLM Behavioral Safety

78%

Behavioral Risk Signals

Filesystem Write

3 findings

Shell Execution

1 finding

Excessive Permissions

1 finding

Security Findings3

Severity	Finding	Layer	Location
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/dycathecorde/nano-banana-pro-2/SKILL.md:23
HIGH	Arbitrary File Read/Write via Path Traversal The skill allows reading and writing to arbitrary file paths on the system due to insufficient validation of user-provided `--input-image` and `--filename` arguments. A malicious user could specify paths like `../../etc/passwd` for reading or `../../tmp/malicious.png` for writing, leading to data leakage or unauthorized file modification. Implement strict path validation for `--input-image` and `--filename` arguments. Restrict file operations to a designated, sandboxed directory (e.g., a `media` or `output` subdirectory within the skill's working directory). Sanitize filenames to prevent directory traversal characters (e.g., `..`, `/`) and absolute paths.	LLM	scripts/generate_image.py:64
MEDIUM	User-provided File Content Exfiltrated to Third-Party API The skill loads user-specified image files via the `--input-image` argument and directly passes their content to the Google Gemini API (`client.models.generate_content`). While this is the intended functionality for image editing, it means the content of any file the user provides will be transmitted to Google's servers. Users should be explicitly aware that their local file data is being sent to a third-party service. Clearly document in the skill's description and usage instructions that input image data is sent to the Google Gemini API. Consider adding a user consent prompt before sending sensitive data, if applicable, or ensure that the skill's environment is configured to handle such data appropriately.	LLM	scripts/generate_image.py:95

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/15bcd96fc624d716.svg)](https://skillshield.io/report/15bcd96fc624d716)