nanobanana-openrouter

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: generate or edit images through OpenRouter, with expected API-key use and external prompt/image transmission.

Install only if you are comfortable sending prompts and any selected input images to OpenRouter and the underlying model provider. Avoid confidential, regulated, or personal images unless that transfer is acceptable, and prefer using OPENROUTER_KEY from the environment rather than passing API keys in chat or command arguments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill sends user prompts and potentially user-supplied images to OpenRouter, but the description does not warn users that their content is transmitted to an external service. This creates a privacy and data-handling risk, especially if users provide sensitive images, confidential prompts, or regulated data under the assumption processing is local.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal