nano-banana-pro
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8). \n- Ingestion points: Untrusted content enters the system via the --prompt and --reference CLI arguments in scripts/image.py. \n- Boundary markers: No markers or delimiters are used to isolate the untrusted input from the system instructions. \n- Capability inventory: The skill can write files to arbitrary paths via image.save() and perform network operations via the Gemini API. \n- Sanitization: There is no logic to sanitize the prompt or validate that the output path is restricted to safe directories. \n- COMMAND_EXECUTION (LOW): The skill executes a local Python script using 'uv run'. This is expected behavior for its design but is identified as a capability that executes code in the host environment.
Recommendations
- AI detected serious security threats
Audit Metadata