nano-banana-pro
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): Path traversal vulnerability in
generate_image.py. The script determines the output path usingPath.cwd() / args.filename. Because thefilenameargument is user-controlled and not sanitized for directory traversal characters (e.g.,../), it could be exploited to overwrite sensitive files outside of the intended working directory. - [DATA_EXFILTRATION] (LOW): The skill facilitates reading arbitrary local files through the
--input-imageparameter. While intended for image data, there are no file type or path restrictions, allowing the agent to potentially read and transmit non-image file contents to the external API if tricked by a prompt. - [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection.
- Ingestion points: Processes user-supplied text prompts and external image files via the
--input-imageparameter. - Boundary markers: None. Input content is interpolated directly into the API request without delimiters or 'ignore' instructions.
- Capability inventory: The skill has the ability to read/write local files and communicate with external Google APIs.
- Sanitization: No validation or sanitization is performed on the prompt text or the filename inputs.
Audit Metadata