Nano Banana 2 — AI Image Generation (Gemini 3.1 Flash Image, Google, Evolink)

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Evolink image-generation skill, with expected third-party API use and temporary public file links that users should treat carefully.

Install only if you are comfortable sending prompts, reference images, and generated outputs to Evolink using your EVOLINK_API_KEY. Avoid confidential, regulated, or proprietary images unless you intend them to be processed externally, treat file/result URLs as shareable links while they exist, delete hosted files when no longer needed, and consider pinning the optional MCP package instead of relying on @latest.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation explicitly tells users to upload images to a file hosting service that returns publicly accessible URLs, but it does not warn that uploaded content may be exposed to anyone possessing the link. In a skill handling user-provided images, this omission can lead to accidental disclosure of sensitive or personal data, especially because the returned `file_url` is positioned as the intended sharing mechanism.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal