bananahub
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The main execution script
scripts/bananahub.pyutilizessubprocess.runto install missing Python dependencies (google-genai,pillow) when the user runs the initialization command. This is used strictly for setup and is restricted to the specific packages required by the provider adapters. - [DATA_EXFILTRATION]: The skill implements a telemetry system that sends anonymous usage data to
https://worker.bananahub.ai/api/usage. The tracked events include template selections and successful generation or edit actions. This behavior is documented and can be opted out of using theBANANAHUB_DISABLE_TELEMETRYenvironment variable. - [EXTERNAL_DOWNLOADS]: The skill interfaces with external image generation APIs (Google AI Studio, Vertex AI, OpenAI) and may download images from URLs or Base64 data URIs provided in chat responses (particularly in the ChatGPT-compatible provider mode).
- [REMOTE_CODE_EXECUTION]: In
scripts/bananahub.py, the__import__function is used for dynamic module loading. This is employed as a check to verify if the necessary libraries for a selected provider are available in the current environment before execution.
Audit Metadata