nano-banana
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill downloads files from a remote workflow (refly.ai) and executes the
opencommand on the resulting files. - Evidence: In
SKILL.md, Step 3 usesrefly file download "$FILE_ID"followed byopen "$HOME/Desktop/${FILE_NAME}". - Risk: There is no validation to ensure the downloaded file is an image. A malicious workflow could provide a shell script or executable (e.g.,
.sh,.command, or.app) whichopenwould execute, leading to Remote Code Execution (RCE). - [COMMAND_EXECUTION] (MEDIUM): The skill uses shell scripts to process data retrieved from a remote API without sanitization.
- Evidence: The variable
${FILE_NAME}is extracted from the remote JSON response usingjqand used directly in theopencommand. - Risk: Maliciously crafted filenames could potentially be used for command injection or to overwrite sensitive files if the pathing is manipulated, although the fixed
$HOME/Desktop/prefix mitigates path traversal. - [INDIRECT_PROMPT_INJECTION] (MEDIUM): The skill possesses a high-risk capability (file execution) while ingesting untrusted data from an external workflow.
- Ingestion Points:
refly workflow toolcallsoutput inSKILL.md. - Boundary Markers: Absent; the skill blindly processes all files returned by the workflow.
- Capability Inventory: File write to
$HOME/Desktopand system-level execution viaopen. - Sanitization: None; the skill does not verify file extensions or MIME types before opening.
Recommendations
- AI detected serious security threats
Audit Metadata