generate-image
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's workflow constructs a shell command by interpolating the user prompt (
{{arg:1}}) directly into a Bash template:uv run python .claude/scripts/nano_banana_pro.py "{{arg:1}}". - Evidence: The template uses double quotes (
"{{arg:1}}"), which do not prevent shell command substitution or arithmetic expansion in Bash. - Impact: An attacker can provide a prompt such as
$(id)or`whoami`to execute commands on the host machine with the agent's privileges. - [PROMPT_INJECTION]: The
{{arg:1}}argument serves as an untrusted input vector that bypasses the intended script execution by injecting malicious shell commands. - Ingestion points: The user-provided
<prompt>argument in{{arg:1}}and--referencefile paths. - Boundary markers: The prompt is enclosed in double quotes within the Bash command, which is an ineffective boundary against shell metacharacters.
- Capability inventory: The skill utilizes the
Bashtool to execute Python scripts, granting access to the underlying system shell. - Sanitization: The instructions do not define any sanitization, escaping, or validation logic for the input prompt before it is passed to the shell.
Recommendations
- AI detected serious security threats
Audit Metadata