ClawHub

Nano Banana API

Security checks across malware telemetry and agentic risk

Overview

This looks like a real image-generation API helper, but it needs Review because an undocumented endpoint override can send the API key to another server.

Install only if you trust the publisher and the Nano Banana service. Before using it, make sure NANO_BANANA_BASE_URL is unset or points to the official API, use a limited API key if possible, and download outputs only into a dedicated folder.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tainted flow: 'request' from os.getenv (line 215, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
request = urllib.request.Request(url, data=payload, headers=headers, method=method)

    try:
        with urllib.request.urlopen(request, timeout=timeout) as response:
            return response.status, parse_body(response.read())
    except urllib.error.HTTPError as exc:
        return exc.code, parse_body(exc.read())
Confidence
95% confidence
Finding
with urllib.request.urlopen(request, timeout=timeout) as response:

Tainted flow: 'request' from os.getenv (line 215, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
filename = f"{prefix}-{index}{infer_extension(image_url)}"
        destination = target_dir / filename
        request = urllib.request.Request(image_url, headers={"User-Agent": DEFAULT_USER_AGENT})
        with urllib.request.urlopen(request, timeout=120) as response, destination.open("wb") as fh:
            shutil.copyfileobj(response, fh)
        downloaded.append(str(destination))
Confidence
92% confidence
Finding
with urllib.request.urlopen(request, timeout=120) as response, destination.open("wb") as fh:

Tainted flow: 'request' from os.getenv (line 215, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
)

    try:
        with urllib.request.urlopen(request, timeout=args.timeout) as response:
            final_event: dict[str, Any] | None = None
            for raw_line in response:
                line = raw_line.decode("utf-8", errors="replace").strip()
Confidence
95% confidence
Finding
with urllib.request.urlopen(request, timeout=args.timeout) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation directs use of environment variables, network calls, and local file downloads/writes, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: an agent or review system may treat the skill as lower risk than it actually is, while the skill can still access secrets, contact external services, and write files.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal