banana

SUSPICIOUS: The skill’s image-generation behavior is broadly aligned with its stated purpose, but it introduces medium trust risk by routing a Google API key through a third-party MCP package installed via mutable npx/npm paths. No clear malware or exfiltration is shown, yet install provenance and credential forwarding are not tight enough to treat as fully benign.

Best matching/most complete assessment is the supply-chain + credential-handling risk identification: this code itself does not show direct malware (no exfiltration or payload execution), but it (1) persistently stores a user’s Google AI API key in plaintext in `~/.claude/settings.json` and (2) configures Claude Code to run an unpinned npm package via `npx -y @ycse/nanobanana-mcp`—a significant indirect supply-chain execution vector. Additionally, `--check` prints masked key fragments, which can still leak partial secrets to terminal/log history. Review the legitimacy of the MCP package and protect/limit access to the settings file (and ideally avoid plaintext key storage).