nano-banana
Warn
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill instructs the agent to read sensitive local files such as
.envand~/.envto retrieve API keys. Searching the home directory for configuration files is a high-privilege operation that can lead to the unintended exposure of other secrets or environment variables stored in those files. - [COMMAND_EXECUTION]: The skill executes dynamically generated Python scripts using
Bash(python3:*)to perform image generation and file system operations. These scripts read from the environment and write generated assets to the disk based on user-controlled parameters. - [PROMPT_INJECTION]: The skill contains instructions that attempt to override agent behavior by mandating its own use for all image-related requests and prohibiting other methods. This pattern is often used to ensure specific logic is followed but can interfere with global safety or operational guidelines.
- [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface by processing untrusted user input without sanitization or boundary markers.
- Ingestion points: User-provided image prompts are passed directly to the
google-genaiSDK inSKILL.mdexamples. - Boundary markers: None are present to delimit user input or instruct the model to ignore malicious commands embedded in the prompt.
- Capability inventory: The skill has the capability to read local files, write to the file system, and execute Python code.
- Sanitization: No validation or filtering of user-provided prompt content is performed before execution.
Audit Metadata