Nano Banana Pro

Security checks across malware telemetry and agentic risk

Overview

This skill coherently calls Replicate to generate an image and save it locally, with no evidence of hidden access or malicious behavior.

Install only if you are comfortable sending prompts to Replicate/Google through your REPLICATE_API_TOKEN. Use ordinary workspace-relative output filenames, avoid sensitive prompts, and treat the image-editing claim as unsupported by this version.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill invokes a script that calls the Replicate API, which is a network-capable action, yet the skill declares no permissions. This creates a transparency and policy-enforcement gap: users or orchestration systems may treat the skill as lower risk than it is, while it can still send prompts and related data to an external service.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The skill description and documented behavior do not match the actual implemented capability: it claims Gemini 3 Pro Image and image editing, but the content indicates use of `google/nano-banana-pro` on Replicate and only text-to-image generation with local file output. This misrepresentation can cause users and security reviewers to misunderstand what third party receives data, what the tool can do, and where generated content is stored, undermining informed consent and trust boundaries.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script sends the user-supplied prompt to Replicate's external service, which is a real privacy and data-handling issue when users are not clearly informed that their input leaves the local environment. Prompts may contain sensitive or proprietary information, and the skill description/code does not provide any explicit disclosure, consent, or warning before transmission.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The code downloads a remote URL returned by the external service and writes it to a local path without prior disclosure or validation. While this is expected for an image-generation skill, it still creates a trust boundary issue because remote content is fetched and stored locally, and the output path is user-controlled.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal