nano-banana
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [Data Exposure & Exfiltration] (HIGH): The skill allows arbitrary file access through user-controlled path parameters.\n
- Evidence: In
multi_turn_chat.py, the/loadcommand opens images usingImage.open(path)without verification.\n - Evidence: In
generate_image.pyandedit_image.py, theoutput_pathargument is passed directly toimage.save(). Becausepathlib.Pathjoins treat absolute paths as overrides, a user can overwrite sensitive system files (e.g.,/etc/hosts) by providing an absolute path.\n- [Indirect Prompt Injection] (HIGH): The skill processes untrusted user instructions and passes them to a high-capability AI model without sanitization, creating a risk of malicious instructions being executed via file operations.\n - Ingestion points: User CLI arguments in
generate_image.pyand interactive input inmulti_turn_chat.py.\n - Boundary markers: Absent.\n
- Capability inventory:
image.save()(file-write capability) inscripts/generate_image.py,scripts/edit_image.py, andscripts/multi_turn_chat.py.\n - Sanitization: Absent.\n- [Metadata Poisoning] (LOW): Hardcoded absolute paths to a specific user's home directory are present in script shebangs (
#!/Users/phaedrus/...), exposing local system information and creating environment dependencies.
Recommendations
- AI detected serious security threats
Audit Metadata