nano-banana2-gen-image

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds a clear API key (ak=gGoT3706okXuOVHBBhA1SBG8erOvgihU_GPT_AK) directly in URLs and curl/python examples, forcing the agent to include that secret verbatim in generated requests/commands.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). The documentation contains a literal API key-like value used in endpoint URLs and example requests: "gGoT3706okXuOVHBBhA1SBG8erOvgihU_GPT_AK". This is a specific, non-placeholder, high-entropy-looking token (mix of upper/lowercase letters, digits, and punctuation) and is directly present — so it meets the definition of a secret. I ignored obvious non-secrets such as the X-TT-LOGID test values (low-entropy identifiers like "nanobanana_test_*"), placeholder strings like "base64_encoded_image_data", and other documentation/example values that are explicitly placeholders or low-entropy examples.