🫧 Nano Banana 2 — Pro Pack on RunComfy

Security checks across malware telemetry and agentic risk

Overview

This is a clearly disclosed RunComfy image-generation skill that uses expected credentials and external API calls for its stated purpose.

Install this only if you intend to use RunComfy for Nano Banana 2 image generation. Your prompts and any web-grounded context may be sent to RunComfy, so avoid including private or sensitive material unless you are comfortable sharing it with that service, and keep your RunComfy token protected.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger text includes broad catch-all language such as routing on 'any explicit ask to generate with Nano Banana,' which can cause the skill to activate in contexts where a more specific or safer skill should be used. Overbroad routing is dangerous because it increases the chance of unintended third-party API calls, accidental data disclosure in prompts, and model misuse when user intent is ambiguous.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal