nano-banana

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly accepts external image URLs via the "images" input and exposes an "enable_google_search" option in its input/examples, which cause the agent to fetch and interpret real-time public web/search results and arbitrary third-party images as part of its generation workflow, enabling untrusted content to influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill invokes remote apps via the inference.sh CLI (e.g., "infsh app run google/gemini-3-pro-image-preview"), which at runtime contacts and executes code on https://inference.sh, making that external service a required runtime dependency that executes remote code.