The Agent Skills Directory

Unverifiable Dependencies & Remote Code Execution (MEDIUM): The setup instructions direct users to run npx -y nanobanana-mcp. This command downloads and executes a package from the npm registry that is not associated with a trusted organization or verified repository. This allows for arbitrary code execution on the user's machine during the setup and runtime of the MCP server.
Metadata Poisoning (MEDIUM): The skill documentation repeatedly references "Gemini 3 Pro Image model" and "Nano Banana Pro." As of the current date, no such model exists in Google's Gemini lineup. Providing misleading information about the technology stack may lead users to trust and install unverified software based on false capability claims.
Indirect Prompt Injection (MEDIUM): The skill has a high-risk attack surface due to its data ingestion patterns.
Ingestion points: Processes untrusted data through the prompt, instructions, and imagePath parameters in tools like gemini_edit_image.
Boundary markers: None identified in the provided documentation to distinguish between user instructions and potentially malicious data within processed images or complex prompts.
Capability inventory: The skill utilizes npx for execution and has file system write access to ~/Documents/nanobanana_generated/.
Sanitization: No sanitization or validation of external content is mentioned, which could allow malicious instructions embedded in image metadata or filenames to influence the agent's behavior.
Data Exposure & Exfiltration (LOW): The skill requests the user to provide a GEMINI_API_KEY and store it in environment variables or configuration files. While this is standard for many tools, when combined with the execution of an unverified third-party package (nanobanana-mcp), it creates a significant risk of credential theft.

nano-banana