nano-banana、gpt-image

Security checks across malware telemetry and agentic risk

Overview

This is a coherent image-generation API skill with expected API-key, network, and local-save behavior, but users should notice that prompts and any chosen input image go to the configured VAPI endpoint.

Install only if you trust the configured VAPI endpoint and are comfortable sending image prompts, and any image provided with --input, to that service under your VAPI key. Expect URL-only output by default for nano-banana models, but expect gpt-image models to write generated images to local media storage.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill documentation declares no explicit permissions even though the described behavior requires environment access, network access, and optional file writes. This weakens user consent and reviewability because operators may invoke a skill without realizing it can transmit prompts and credentials to a third-party API or save files locally.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior understates several material capabilities: editing images, fetching remote input images, writing to OSS or arbitrary output directories, and automatically saving gpt-image outputs even without --save. Behavior/description mismatches are dangerous because users and reviewers may expose sensitive local or remote image data, or permit filesystem writes, under false assumptions about what the skill does.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script contradicts its stated behavior by automatically saving outputs for models whose names start with 'gpt-image', even when the user did not pass --save. This creates an unexpected local data retention issue: generated images may contain sensitive prompts or content and will be written to disk without explicit user consent.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The --save help text tells users that saving occurs only when requested, but the implementation silently saves for gpt-image models regardless. This misleading interface can cause users to expose sensitive or regulated image content to local storage unintentionally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal