nano-banana-pro
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- **Category 2
- Data Exposure & Arbitrary File Write (HIGH):** The skill provides unrestricted access to the local filesystem.
- Evidence: In
scripts/generate_image.py, the--input-imageargument is passed directly toPILImage.open(args.input_image). An attacker could trick the agent into reading sensitive files (e.g.,~/.ssh/id_rsa) and sending them to the external API. - Evidence: The
--filenameargument is used inoutput_path.parent.mkdir(parents=True, exist_ok=True)andimage.save(str(output_path), 'PNG')without path validation or sandboxing. This allows an attacker to overwrite critical files like~/.bashrcor~/.ssh/authorized_keyswith image data, leading to denial of service or potential persistence. - **Category 8
- Indirect Prompt Injection (HIGH):** The skill creates a high-privilege attack surface by combining external data ingestion with file-system write capabilities.
- Ingestion points: Untrusted data enters via
args.input_image(local file content) andargs.prompt(external text instructions) inscripts/generate_image.py. - Boundary markers: None. There are no delimiters or instructions to the model to ignore embedded commands in the input data.
- Capability inventory: The skill possesses
file-read(via PIL),file-write(via image save), anddirectory-creationcapabilities. - Sanitization: No sanitization or path normalization is performed on any user-provided arguments before they are used in filesystem operations.
- **Category 7
- Metadata Poisoning (MEDIUM):** The skill uses misleading names like "Nano Banana Pro" and "Gemini 3 Pro Image" which do not correspond to official Google product names, potentially deceiving users about the nature or safety of the underlying model.
Recommendations
- AI detected serious security threats
Audit Metadata