Nanobanana Plus

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill is purpose-aligned, but it runs an unpinned external CLI while passing through environment credentials.

Review before installing. Use a limited API key, avoid running it in an environment containing unrelated secrets, and confirm exactly which nanobanana-plus executable will be launched and where it came from.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documentation instructs users to supply an API key and send prompts to image-generation models, but it does not clearly warn that prompts and generated content are transmitted to external third-party providers. This creates a privacy and data-handling risk because users may unknowingly submit sensitive text or regulated content through a provider-backed service.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal