nano-banana
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill documentation (SKILL.md) recommends installing and running unverified npm packages such as
nanobanana-mcpandnano-banana-mcp. These packages are not from any of the trusted organizations listed in the security scope. - REMOTE_CODE_EXECUTION (MEDIUM): The use of
npxto fetch and run these packages at runtime allows for the execution of remote code that has not been audited or verified locally. - COMMAND_EXECUTION (MEDIUM): The skill setup requires running shell commands (e.g.,
claude mcp add) that execute the npm-hosted binaries as persistent background processes (MCP servers). - PROMPT_INJECTION (LOW): The 'JSON_PROMPT_TRANSLATOR' workflow (
references/translator-prompt.md) creates an attack surface for indirect prompt injection. - Ingestion points: The translator ingest natural language 'human briefs' directly from the user to construct a JSON object that is subsequently converted into instructions for the image model.
- Boundary markers: The translator's instructions lack the use of delimiters or 'ignore' directives to prevent instructions embedded within the user brief from being interpreted as authoritative.
- Capability inventory: The resulting prompts influence the behavior of the
gemini_generate_imageandgemini_edit_imagetools. - Sanitization: No sanitization or validation of the input brief is mentioned or performed before the content is placed into the prompt schema.
Audit Metadata