banana
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill directs all image generation and editing traffic to the official Google Generative Language API (generativelanguage.googleapis.com), a well-known and legitimate service.
- [REMOTE_CODE_EXECUTION]: The skill configures an MCP server using
npxto run the@ycse/nanobanana-mcppackage from the official npm registry, which is the standard deployment model for this platform. - [CREDENTIALS_UNSAFE]: API keys are managed securely by reading from environment variables or user input and storing them in the standard application configuration file (
~/.claude/settings.json), avoiding hardcoded secrets. - [DATA_EXFILTRATION]: Analysis of the fallback scripts and MCP configuration shows that data transmission is limited to the prompts and images required for the skill's stated purpose, with no unauthorized external communication.
- [COMMAND_EXECUTION]: The skill utilizes local image processing utilities such as ImageMagick and FFmpeg for user-requested post-processing, which is appropriate for a creative director toolset.
Audit Metadata