nano-banana-2
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill documentation includes an installation command that pipes a script from cli.inference.sh to the shell. This is a vendor-controlled resource used for deploying the infsh CLI.
- [EXTERNAL_DOWNLOADS]: The skill references and downloads tools from dist.inference.sh and uses npx to fetch additional skills from the inference-sh organization on GitHub.
- [COMMAND_EXECUTION]: Utilizes the Bash tool to execute infsh commands for generating and managing image assets.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it processes untrusted user input.
- Ingestion points: Untrusted data enters the agent context through the prompt and images parameters defined in SKILL.md.
- Boundary markers: Input is passed to the CLI using JSON structures, but there are no specific markers or instructions to ignore embedded commands within the input strings.
- Capability inventory: The skill has the ability to execute subprocesses via Bash(infsh *).
- Sanitization: There is no evidence of input validation, escaping, or sanitization for the prompt or image URL data before processing.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
Audit Metadata