fal-nano-banana-2-image-gen
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads generated images from 'fal.run' and 'queue.fal.run' domains, which is the core intended functionality for an image generation tool. These domains belong to a well-known service provider (fal.ai).
- [COMMAND_EXECUTION]: The script uses standard Node.js file system APIs ('node:fs/promises') to manage local logs and artifacts. It includes a safety check to ensure that the '--out' directory is always a subdirectory of 'artifacts/', preventing arbitrary file writes outside the intended scope.
- [CREDENTIALS_UNSAFE]: The skill implements safe credential handling by reading the API key from a local 'workers.jsonc' file. It explicitly warns against committing secrets and includes logic to avoid printing or logging the actual key values, only checking for their presence.
Audit Metadata