Security audit

Wavespeed Nanobanana2

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal Wavespeed AI integration, with the main caveat that prompt privacy should be clearer.

Install only if you are comfortable sending prompts and related generation parameters to Wavespeed AI. Do not include secrets, private personal data, regulated data, or confidential business material in prompts unless you have reviewed and accepted the provider's data-handling terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation describes sending text prompts to the Wavespeed AI API but does not explicitly warn users that their input leaves the local environment and is transmitted to a third-party service. This can cause inadvertent disclosure of sensitive, personal, or proprietary data if users assume prompts are processed locally or do not understand the privacy implications.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code transmits the user-provided prompt to an external API without any disclosure, consent, or indication that user content leaves the local/runtime boundary. If prompts contain sensitive, proprietary, or personal information, users may unknowingly expose data to a third party.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.