nanobanana
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
subprocess.runwithin its test suite (tests/test_nanobanana.py) to verify the CLI functionality. This is a standard practice for integration testing and is not used in the production script itself. - [CREDENTIALS_UNSAFE]: The script supports
GEMINI_API_KEYthrough environment variables or.envfiles. It explicitly includes rules to 'Never print secrets' and follows best practices by not hardcoding any actual credentials. Example placeholders in documentation are generic and non-functional. - [EXTERNAL_DOWNLOADS]: The script performs legitimate API requests to Google's official Gemini endpoints (
generativelanguage.googleapis.com) or user-configured custom gateways. These are standard operations for the skill's primary purpose of image generation. - [REMOTE_CODE_EXECUTION]: No remote code execution patterns were found. The script processes image data and text prompts strictly for API consumption and local file saving without executing external scripts.
- [DATA_EXFILTRATION]: No data exfiltration was detected. The script reads local images only when explicitly provided by the user as
--input-imagefor editing purposes and sends them only to the configured API endpoint.
Audit Metadata