Trust Assessment
nanobanana-ppt-skills received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 30 findings: 8 critical, 11 high, 11 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Unsafe environment variable passthrough, Arbitrary command execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings30
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/itrocker/nanobanana-ppt-skills/run.sh:27 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/itrocker/nanobanana-ppt-skills/run.sh:28 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/itrocker/nanobanana-ppt-skills/video_composer.py:59 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/itrocker/nanobanana-ppt-skills/video_composer.py:101 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/itrocker/nanobanana-ppt-skills/SKILL.md:241 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/itrocker/nanobanana-ppt-skills/SKILL.md:417 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/itrocker/nanobanana-ppt-skills/generate_ppt.py:44 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/itrocker/nanobanana-ppt-skills/transition_prompt_generator.py:91 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/itrocker/nanobanana-ppt-skills/transition_prompt_generator.py:91 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/itrocker/nanobanana-ppt-skills/video_materials.py:5 | |
| HIGH | Potential data exfiltration: file read + network send Function 'download_video' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/itrocker/nanobanana-ppt-skills/kling_api.py:334 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_verify_ffmpeg'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/itrocker/nanobanana-ppt-skills/video_composer.py:59 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_run_ffmpeg'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/itrocker/nanobanana-ppt-skills/video_composer.py:101 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/itrocker/nanobanana-ppt-skills/SKILL.md:241 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/itrocker/nanobanana-ppt-skills/SKILL.md:417 | |
| HIGH | Arbitrary File Read via User-Controlled Style/Template Path The `generate_ppt.py` script uses user-provided paths for `--style` and `--template` arguments directly in `open()` calls without sanitization. An attacker can use path traversal sequences (e.g., `../../../../etc/passwd`) to read arbitrary files on the system. The content of these files could then be included in the generated prompts or output, leading to data exfiltration. Sanitize user-provided paths to ensure they are within expected directories (e.g., `styles/` or `templates/`) using `pathlib.Path.resolve()` and checking against a base directory, or by validating the path components. | LLM | generate_ppt.py:100 | |
| HIGH | Arbitrary File Read via User-Controlled Prompts File Path The `PromptFileReader` class in `prompt_file_reader.py` takes a user-provided `prompts_file` path (from `--prompts-file` argument in `generate_ppt_video.py`) and uses it directly in an `open()` call. This allows an attacker to use path traversal sequences (e.g., `../../../../etc/shadow`) to read arbitrary JSON files or other files on the system. The content of these files could then be processed by the skill, potentially leading to data exfiltration or further manipulation. Sanitize the `prompts_file` path to ensure it is within an expected output directory or validate its components to prevent path traversal. | LLM | prompt_file_reader.py:18 | |
| HIGH | Arbitrary File Write via User-Controlled Output Directory The `generate_ppt_video.py` script accepts a user-controlled `--output-dir` argument. This directory is then used to create new directories (`os.makedirs(output_dir, exist_ok=True)`) and write all generated video files, HTML viewers, and other artifacts. An attacker could specify a sensitive system directory (e.g., `/tmp/cron.d`) to write malicious files, potentially leading to privilege escalation or system compromise, assuming the skill runs with sufficient permissions. Restrict the `--output-dir` to a dedicated, sandboxed output location within the skill's own directory or a temporary directory, and prevent path traversal. | LLM | generate_ppt_video.py:88 | |
| HIGH | Command Injection via Unsanitized FFmpeg Resolution Parameter The `video_composer.py` script constructs an FFmpeg video filter (`-vf`) string using `width` and `height` values derived from the user-controlled `--resolution` argument (passed from `generate_ppt.py`). If the `--resolution` argument is not strictly validated to contain only numeric values and the 'x' separator, an attacker could inject malicious FFmpeg filter commands (e.g., `100:force_original_aspect_ratio=decrease,drawtext=text='$(whoami)'`) into the `-vf` string. This could lead to arbitrary command execution via FFmpeg's `drawtext` filter or other vulnerable filters, assuming FFmpeg is configured to allow such operations. Strictly validate the `--resolution` argument to ensure it conforms to the expected "WxH" format with only numeric values for width and height. Convert `width` and `height` to integers immediately after parsing and use these integer values in the f-string. | LLM | video_composer.py:190 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/itrocker/nanobanana-ppt-skills/generate_ppt.py:325 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/itrocker/nanobanana-ppt-skills/generate_ppt_video.py:343 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/itrocker/nanobanana-ppt-skills/kling_api.py:5 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/itrocker/nanobanana-ppt-skills/simple_transition_prompt_generator.py:5 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/itrocker/nanobanana-ppt-skills/SKILL.md:1 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/itrocker/nanobanana-ppt-skills/kling_api.py:16 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/itrocker/nanobanana-ppt-skills/install_as_skill.sh:60 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/itrocker/nanobanana-ppt-skills/run.sh:27 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/itrocker/nanobanana-ppt-skills/run.sh:28 | |
| MEDIUM | Potential Data Exfiltration via Image Upload to External APIs The `kling_api.py` and `transition_prompt_generator.py` scripts read image files (derived from the user-controlled `--slides-dir` argument in `generate_ppt_video.py`) and base64 encode them before sending them to external APIs (Kling AI and Claude AI, respectively). While `scan_slide_images` uses a `glob("slide-*.png")` pattern, an attacker could potentially create a symlink or hardlink named `slide-01.png` pointing to a sensitive file (e.g., `/etc/passwd`) within the specified `slides_dir`. If this occurs, the content of the sensitive file would be base64 encoded and exfiltrated to the external AI service. Ensure that the `slides_dir` and its contents are strictly controlled and validated. Consider using a dedicated, isolated temporary directory for processing user-provided images, and verify that image files are actual image formats before processing. Additionally, restrict the `slides_dir` path to prevent traversal. | LLM | kling_api.py:160 | |
| MEDIUM | Unpinned Python and System Dependencies The `install_as_skill.sh` script installs Python packages (`google-genai`, `pillow`, `python-dotenv`) and system packages (`ffmpeg`) without specifying exact versions. This introduces a supply chain risk, as future versions of these dependencies could introduce vulnerabilities, breaking changes, or even malicious code. Pin all Python dependencies to exact versions in a `requirements.txt` file (e.g., `google-genai==0.5.0`). For system dependencies like FFmpeg, recommend specific versions or provide instructions for verifying integrity. | LLM | install_as_skill.sh:120 |
Scan History
Embed Code
[](https://skillshield.io/report/4f7fefec9c4ee3ef)
Powered by SkillShield