Back to skill

Security audit

Nano Banana Skill

Security checks across malware telemetry and agentic risk

Overview

This documentation-only image generation skill sends prompts and selected images to monet.vision as expected, but users should avoid sending sensitive files or prompts.

Install only if you are comfortable sending prompts, reference image URLs, uploaded images, and generated task history to monet.vision. Use a dedicated API key where possible, review any file path before upload, and do not upload secrets, private documents, regulated data, or sensitive personal images unless you have authorization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README includes a file-upload example that sends a local file to a third-party service, but it does not explicitly warn that the file contents and any embedded metadata leave the local environment. In an agent-skill context, this omission can mislead users into uploading sensitive images or documents without understanding the privacy and data-handling implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents file upload and the return of an online access URL, but does not clearly warn users that local files are transmitted to a third-party service and become remotely accessible for a retention period. This can lead to unintended disclosure of sensitive images or metadata if users assume uploads remain local or private by default.

External Transmission

Medium
Category
Data Exfiltration
Content
### Example 2: Generate Image with Reference Images

```typescript
const response = await fetch('https://monet.vision/api/v1/tasks/async', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
Confidence
84% confidence
Finding
fetch('https://monet.vision/api/v1/tasks/async', { method: 'POST'

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.