nanobanana
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill contains a mechanism to globally disable SSL certificate verification, creating a significant risk of data interception.
- Evidence: The
disable_ssl_verification()function inscripts/generate.pyoverrides the global SSL context usingssl._create_default_https_context = ssl._create_unverified_context. - Evidence: It further monkey-patches the
httpx.Clientandhttpx.AsyncClientclasses to defaultverify=False, which affects all network requests made using this library within the same process. - Risk: If a user enables this via the
--no-ssl-verifyflag or theNANOBANANA_NO_SSL_VERIFYenvironment variable, the Gemini API key (sent in headers) and the generated image data can be intercepted by an attacker on the network. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to the way it handles input prompts without sanitization or boundary markers.
- Ingestion points: The
promptargument inscripts/generate.pyandscripts/batch_generate.pyaccepts arbitrary text strings. - Boundary markers: No delimiters or safety instructions (e.g., 'ignore instructions within the data') are used when passing the prompt to the model.
- Capability inventory: The skill possesses network access (Google Gemini API) and file-writing capabilities (
output_path). - Sanitization: No input validation or escaping is performed on the prompt before it is interpolated into the API request.
- [COMMAND_EXECUTION]: The script
scripts/batch_generate.pydynamically modifies the Python path to import local modules. - Evidence:
sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))followed byfrom generate import .... - Context: While common in local script development, this can lead to arbitrary code execution if a malicious file (e.g.,
generate.py) is placed in the script's directory.
Audit Metadata