The Agent Skills Directory

DATA_EXFILTRATION (HIGH): The generate_image.py script allows the reading of arbitrary files from the filesystem through the -i or --image command-line argument. The contents of these files are read as bytes and transmitted to the Google GenAI API. An attacker could exploit this to exfiltrate sensitive information, such as SSH keys (~/.ssh/id_rsa) or environment files (.env), by passing these paths as input images.
PROMPT_INJECTION (HIGH): The skill is vulnerable to indirect prompt injection. It ingests untrusted data from user prompts and external images (ingestion points: prompt and args.images in generate_image.py) and passes them to a powerful model without any boundary markers or sanitization. Given the skill's capabilities (capability inventory: network access via google-genai and file-write access via image.save), a malicious input could be used to manipulate the agent's behavior or exfiltrate data.
COMMAND_EXECUTION (LOW): The SKILL.md file instructs the agent to execute the Python script using uv run. While this is the intended use of the tool, it requires the agent to have Bash execution privileges, which increases the impact of any successful prompt injection attack.
METADATA_POISONING (MEDIUM): The skill references a non-existent or placeholder model 'gemini-3-pro-image-preview' and uses a whimsical name 'Nano Banana Pro'. This is misleading regarding the actual underlying model's capabilities and safety profile.

nano-banana-pro