nano-banana-2-image-gen
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill instructions mandate using the user's "original complete input" directly as the prompt parameter. This lack of sanitization or filtering creates a surface for indirect prompt injection. Ingestion points: User input for prompt and edit instructions in SKILL.md. Boundary markers: Absent. Capability inventory: File writing and network operations in generate_image.js/py. Sanitization: Absent in the provided templates.
- [COMMAND_EXECUTION]: The SKILL.md provides command templates such as
node scripts/generate_image.js -p \"{prompt}\"that interpolate user-controlled data directly into shell commands. This presents a risk of command injection if the input contains shell metacharacters (e.g., backticks, semicolons) that the executing agent fails to escape. - [DATA_EXFILTRATION]: The skill transmits the user's API key and image data to a third-party proxy service (api.apiyi.com) not on the trusted vendor list. While functional, this involves sending sensitive information to an external provider.
Audit Metadata