The Agent Skills Directory

COMMAND_EXECUTION (HIGH): Unrestricted File Write/Overwrite. Both scripts/generate.py and scripts/batch_generate.py accept arbitrary file paths for output (--output, --dir) and proceed to create directories and write files to those locations without any path validation or sandboxing. This enables an attacker to overwrite critical configuration files (e.g., .bashrc, .ssh/authorized_keys) with binary image data. \n- DATA_EXFILTRATION (MEDIUM): Arbitrary File Read. The load_image_as_base64 function in scripts/generate.py reads any file path provided via the --input argument and sends the base64-encoded content to the external Gemini API. This can be exploited to leak local file contents to the model provider. \n- PROMPT_INJECTION (MEDIUM): Indirect Prompt Injection Surface. The skill ingests untrusted text prompts and interpolates them directly into the Gemini API request without delimiters or sanitization. (1) Ingestion points: prompt argument and input image files. (2) Boundary markers: None identified. (3) Capability inventory: File system write and external network communication via google-genai client. (4) Sanitization: None identified. \n- Metadata Poisoning (LOW): Misleading Metadata. The documentation and plugin metadata claim the use of a 'Gemini 3 Pro Image' model, which is a non-existent version of Google's Gemini models, potentially deceiving users about the skill's actual backend and safety properties.

nanobanana