nano-banana-image-combine

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly downloads and encodes arbitrary user-provided image URLs (ImageEncoder.download_image / _prepare_images, image_download.py handling CombineImagesInput.image_urls) and sends those untrusted images to Gemini via OpenRouter (OpenRouterService.chat_with_images), and the chat endpoint also injects selected image URLs into the agent's system prompt—so the agent consumes and interprets third-party content from arbitrary public URLs.