Trust Assessment
nano-banana-pro received a trust score of 22/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 1 high, 0 medium, and 1 low severity. Key findings include Path Traversal Vulnerability in Output Filename, Path Traversal Vulnerability in Input Image Path, Dependencies Pinned with Minimum Versions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 38/100, indicating areas for improvement.
Last analyzed on February 18, 2026 (commit b62bd290). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Path Traversal Vulnerability in Output Filename The script constructs an output file path using `Path(args.filename)` without sanitizing `args.filename`. An attacker can use path traversal sequences (e.g., `../`) in the `--filename` argument to write files to arbitrary locations on the filesystem, potentially overwriting critical system files or placing malicious content. Sanitize the `args.filename` input to prevent path traversal. Ensure the filename does not contain directory separators or `../` sequences, or restrict the output path to a designated safe directory. For example, use `Path(safe_output_dir) / Path(args.filename).name`. | Static | scripts/generate_image.py:80 | |
| CRITICAL | Path Traversal Vulnerability in Input Image Path The script opens input images using `PILImage.open(img_path)` where `img_path` is derived directly from user-controlled `args.input_images`. An attacker can use path traversal sequences (e.g., `../`) in the `--input-image` argument to read arbitrary files from the filesystem. While `PILImage.open` might fail for non-image files, the attempt to open and potentially read file contents (or check for existence) from arbitrary paths is a significant information disclosure risk. Sanitize the `img_path` input to prevent path traversal. Ensure the path does not contain directory separators or `../` sequences, or restrict input paths to a designated safe directory. For example, resolve the path and ensure it's within an allowed base directory using `pathlib.Path.resolve()` and checking `is_relative_to()`. | Static | scripts/generate_image.py:109 | |
| HIGH | LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 2 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion. | LLM | (sanity check) | |
| LOW | Dependencies Pinned with Minimum Versions The `requires-python` and `dependencies` specify minimum versions (e.g., `google-genai>=1.0.0`, `pillow>=10.0.0`) rather than exact versions. While this allows for updates, it introduces a minor supply chain risk where a future, vulnerable version of a dependency could be installed without explicit review, potentially leading to unexpected behavior or security issues. Pin dependencies to exact versions (e.g., `google-genai==1.0.0`) to ensure reproducible builds and prevent unexpected updates that might introduce vulnerabilities. Regularly review and update these pinned versions. | Static | scripts/generate_image.py:3 | |
| INFO | API Key Can Be Exposed via Command Line Arguments The script allows the Gemini API key to be passed directly as a command-line argument (`--api-key`). While convenient, this method can expose the API key in system process lists (e.g., `ps aux` output), making it visible to other users or processes on the same system. Environment variables or secure configuration files are generally preferred for sensitive credentials. Advise users to avoid passing API keys directly on the command line. Emphasize the use of environment variables (`GEMINI_API_KEY`) or secure configuration files (as suggested in `SKILL.md`) for storing and accessing sensitive credentials. Consider removing the `--api-key` argument if the skill is primarily intended for environments where env vars or config files are readily available. | Static | scripts/generate_image.py:60 |
Scan History
Embed Code
[](https://skillshield.io/report/a19e63f5b6a70599)
Powered by SkillShield