nano-banana-use
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (LOW): The scripts ingest user-provided prompts and image data which are passed directly to the generative model without sanitization or boundary markers. 1. Ingestion points: args.prompt and args.image in all scripts. 2. Boundary markers: Absent. 3. Capability inventory: Image generation and local file writing via the Pillow library. 4. Sanitization: Absent.
- Metadata Poisoning (MEDIUM): There is a critical discrepancy between SKILL.md and the Python scripts. The documentation claims a default safety filter of BLOCK_MEDIUM_AND_ABOVE, while the scripts (generate_image.py, edit_image.py, compose_image.py) default to BLOCK_NONE. This misleading metadata could lead to the unintended generation of harmful or restricted content.
- Unsafe File Operations (LOW): The scripts accept a user-defined output path via the --output argument and use it directly in img.save() without validation, which could be exploited for directory traversal or overwriting system files if the agent is manipulated.
Audit Metadata