nano-banana-pro
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to indirect prompt injection because it processes untrusted user input and passes it directly to a shell command as a command-line argument.\n
- Ingestion points: User image prompts and editing instructions are ingested directly from the user chat as described in
SKILL.md.\n - Boundary markers: No delimiters or boundary markers are specified to separate the untrusted prompt data from the command structure.\n
- Capability inventory: The skill executes local Python scripts via
uv runand has file system write access to save generated images.\n - Sanitization: The instructions explicitly direct the agent to pass the user's prompt "as-is", with no instructions for shell escaping or input validation.\n- [COMMAND_EXECUTION] (HIGH): The skill's primary function is to construct and execute a shell command based on user input, which provides a direct vector for shell injection if the agent does not properly escape arguments like
--promptor--filename.\n- [CREDENTIALS_UNSAFE] (MEDIUM): The documentation suggests that users may provide API keys in the chat, which the script then uses as a command-line argument (--api-key), potentially exposing sensitive credentials in process logs or command history.
Recommendations
- AI detected serious security threats
Audit Metadata