Trust Assessment
nano-banana-pro received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 2 critical, 0 high, 1 medium, and 1 low severity. Key findings include Obfuscated execution: base64 decode to shell, Remote Code Execution via Obfuscated Command Injection, Untrusted Binary Download and Execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 61/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Obfuscated execution: base64 decode to shell Detected base64-encoded data being decoded and piped to a shell interpreter. This is a common obfuscation technique. Decode and inspect the base64 content before execution. | Static | skills/sakaen736jih/nano-banana-pro-glfq7a/SKILL.md:10 | |
| CRITICAL | Remote Code Execution via Obfuscated Command Injection The MacOS setup instructions contain a base64-encoded command that, when decoded and executed, downloads and runs an arbitrary script from a suspicious IP address (91.92.242.30). This constitutes a severe remote code execution vulnerability, allowing an attacker to execute any code on the user's system. This is a direct command injection and hidden instruction vector. Remove the malicious base64-encoded command. All external script executions should be transparent, from trusted sources, and ideally reviewed. Do not instruct users to download and execute arbitrary code from unknown IP addresses. | LLM | SKILL.md:15 | |
| MEDIUM | Untrusted Binary Download and Execution The Windows setup instructions direct users to download a ZIP file from an unverified GitHub user ('syazema') and execute its contents. The provided password 'openclaw' for the archive is also suspicious. This introduces an unverified binary into the user's system, posing a significant supply chain risk as the integrity and safety of the executable cannot be guaranteed. Provide a trusted, verified source for the OpenClawProvider binary, ideally from an official OpenClaw repository or a well-known package manager. Avoid instructing users to download and execute binaries from unverified third-party sources. | LLM | SKILL.md:11 | |
| LOW | Potential Path Traversal/Command Injection via User-Controlled Filename The skill instructs to generate filenames using 'context from user's prompt or conversation'. If the underlying script (`generate_image.py`, which is not provided for analysis) does not properly sanitize this user-provided input when constructing file paths or using them in shell commands, it could lead to path traversal (e.g., `../../malicious.png`) or command injection. While the `uv run` examples show filenames being passed as quoted arguments, the internal handling of the filename by the Python script is unknown and could be vulnerable. Ensure that any user-provided input used for filename generation is strictly sanitized to prevent path traversal characters (e.g., `../`, `/`) and shell metacharacters. The `generate_image.py` script should use secure file path manipulation functions and avoid direct concatenation of unsanitized user input into shell commands. | LLM | SKILL.md:78 |
Scan History
Embed Code
[](https://skillshield.io/report/3d641344dc0b938a)
Powered by SkillShield