nanobanana
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructions include a command to install a third-party Go binary:
go install maragu.dev/nanobanana@latest. The source domainmaragu.devis not on the trusted list of providers, meaning the code being downloaded and executed has not been verified for safety. - [COMMAND_EXECUTION] (LOW): The core functionality of the skill relies on executing the
nanobananaCLI tool to perform network requests (image generation) and local file system writes. While this is the intended purpose, it grants the agent the capability to run arbitrary commands associated with this tool. - [CREDENTIALS_UNSAFE] (LOW): The skill requires the user to provide a
GOOGLE_API_KEY. While it suggests using environment variables or a.envfile, this pattern introduces the risk of sensitive credential exposure if the working directory is shared or if other skills have file-read access.
Audit Metadata