nano-banana
Fail
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to download and install a third-party extension from an unverified GitHub repository ('https://github.com/gemini-cli-extensions/nanobanana'). Installing executable code from unknown external sources is a high-risk operation that can lead to full system compromise.
- [COMMAND_EXECUTION]: The skill explicitly requires the use of the '--yolo' flag for all operations, which is described as 'Required' to 'Auto-approve all tool actions (no confirmation prompts)'. This intentionally bypasses safety controls and user oversight for shell command execution.
- [PROMPT_INJECTION]: The skill employs authoritative instructions ('REQUIRED for all image generation requests', 'ALWAYS use this skill', 'Do NOT attempt... through any other method') designed to override the agent's default routing logic and force the use of this specific, high-risk toolset.
- [COMMAND_EXECUTION]: The skill is vulnerable to indirect prompt injection and command injection through its interpolation of user-supplied data into shell commands.
- Ingestion points: User-provided text prompts are passed to the
/generate,/icon, and/editcommands withinSKILL.md. - Boundary markers: The commands wrap prompts in single quotes, which can be trivially bypassed using shell metacharacters (e.g.,
' ; malicious_command ; '). - Capability inventory: The skill has access to the
Bash(gemini:*)tool to execute arbitrary shell commands. - Sanitization: No validation or escaping is performed on the user input before it is executed in the shell environment.
Recommendations
- AI detected serious security threats
Audit Metadata