nano-banana

This SKILL.md documents a legitimate-looking integration with the inference.sh platform to run Google Gemini image models. The main security concerns are supply-chain and privacy/trust decisions: it instructs users to run a remote installer via curl|sh (download-and-execute), routes prompts/images and login credentials through a third-party platform (inference.sh) rather than directly to an official vendor API, and recommends transitive installations via npx skills add. There are no hardcoded secrets or obvious backdoor code in the provided text, but the installer and CLI create supply-chain risk and potential credential/data exposure to the inference.sh operator. Users should treat the curl|sh install as high-risk, verify checksums independently, review the infsh login authentication flow and privacy policy, and be cautious about installing transitive skills from npm.