Back to skill

Security audit

Nano Banana Pro

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward NanoPhoto image-generation skill that uses one disclosed API key and sends prompts or public image URLs to NanoPhoto as expected.

Install only if you trust NanoPhoto and are comfortable sending prompts, public image URLs, and generation metadata to that service. Configure NANOPHOTO_API_KEY through the platform's secure environment setting, avoid command-line key entry where possible, and do not submit sensitive, private, regulated, or proprietary image content unless you have approval for third-party processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill sends prompts, public image URLs, and the API key to NanoPhoto.AI, but the user-facing description does not clearly warn that user-provided content is transmitted to an external third party. This can cause unintended disclosure of sensitive prompts or image references, especially if users assume processing is local or first-party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.