nano-banana

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). This URL points to a third‑party GitHub repository (not an official vendor download) that would be installed as executable extension code—GitHub is generally safer than unknown file hosts, but installing arbitrary/low‑visibility repos from unverified accounts can deliver malicious scripts, so treat it as moderately risky unless you audit the repo first.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill requires installing the nanobanana extension from https://github.com/gemini-cli-extensions/nanobanana (via gemini extensions install), which fetches and installs remote code that the Gemini CLI will execute at runtime to handle prompts/commands, making it a required runtime-controlled external dependency.