nanobanana-image
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements image generation functionality using official Google API endpoints (
googleapis.com). No malicious patterns, obfuscation, or unauthorized data access were detected. - [DATA_EXPOSURE]: The skill follows security best practices for secret management by requiring the
GOOGLE_API_KEYto be provided via environment variables, avoiding hardcoded credentials in the source code. - [COMMAND_EXECUTION]: The skill includes scripts (
generate-image.jsandgenerate-image.py) intended to be executed by the agent to fulfill user requests for image generation. These scripts use standard libraries to perform their tasks. - [INDIRECT_PROMPT_INJECTION]: The skill has a surface for indirect prompt injection as it processes user-provided text for image generation. However, it relies on the safety filters of the Google Gemini API, and its capabilities are limited to writing image files to the local system.
- Ingestion points: User-provided command-line arguments in
scripts/generate-image.jsandscripts/generate-image.py. - Boundary markers: Prompts are prefixed with 'Generate an image:' within the JSON payload sent to the API.
- Capability inventory: File system write access for saving generated images.
- Sanitization: Relies on the external API provider's content safety filtering.
Audit Metadata