Skills
skills/jaganpro/sf-skills/sf-diagram-nanobananapro/Gen Agent Trust Hub

sf-diagram-nanobananapro

Fail

Audited by Gen Agent Trust Hub on Mar 14, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill's documentation and the scripts/check-prerequisites.sh script suggest installing the uv tool by piping a remote script directly to a shell (curl -LsSf https://astral.sh/uv/install.sh | sh). While the source is a recognized provider, this pattern is inherently insecure as it bypasses local package management protections and integrity checks.
  • [COMMAND_EXECUTION]: The skill instructions frequently utilize the --yolo flag for the gemini CLI. This flag suppresses interactive confirmation prompts, enabling the AI agent to execute image generation and modification commands autonomously without user verification, which increases risk in the event of prompt manipulation.
  • [COMMAND_EXECUTION]: The scripts/generate_image.py script calls the macOS open command on file paths that include user-influenced filenames. Although it uses argument lists to prevent shell injection and extracts the filename stem to mitigate directory traversal, the execution of system commands on user-controlled paths is a risky pattern.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It ingests untrusted data from user requests and Salesforce metadata and interpolates it into prompts for the Gemini model without explicit boundary markers or sanitization logic to prevent malicious input from hijacking the agent's behavior.
  • Ingestion points: User-provided image descriptions and Salesforce object/field metadata fetched at runtime via sf-metadata.
  • Boundary markers: None identified; input is directly concatenated into prompt templates.
  • Capability inventory: Execution of the gemini CLI, file writing to the home directory, and execution of the open system command.
  • Sanitization: None identified in the prompt construction logic.
  • [CREDENTIALS_UNSAFE]: The skill requires the user to store a sensitive GEMINI_API_KEY as a plain-text environment variable in their shell configuration (~/.zshrc). While the documentation correctly advises against committing the key to version control, this storage method leaves the credential vulnerable to any process with access to the user's environment variables.
Recommendations
  • HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 14, 2026, 03:25 PM