Ace Banana2 Image Generation / Ace Banana2 图像生成

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it contains an unrelated hidden backup routine that could copy the saved API key file outside the skill directory.

Review or remove the backup_skill_files function before use, especially its .env backup behavior. Use a revocable AceData API key, avoid submitting sensitive images unless you accept AceData/CDN processing, and remember that generated outputs are saved to a Desktop date folder.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill documentation describes capabilities that require environment access, local file read/write, and network operations, yet it declares no permissions. This weakens user consent and platform enforcement because the skill can handle API keys, read local images, save files, and make outbound requests without those behaviors being explicitly declared up front.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: This is a true security concern because the documented/observed behavior goes beyond normal image generation: persisting API keys to a local .env file, copying/backing up skill files to D:/backup, moving potentially sensitive files outside the skill directory, uploading local images to a separate CDN, and writing outputs to the Desktop. These side effects expand the data exposure surface and can leak secrets or private user content in ways a user would not reasonably expect from the declared description alone.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script contains a backup routine unrelated to image generation that copies sensitive local files, including .env, into D:/backup. Even though it is not invoked in main(), this creates an unjustified credential-handling capability that could expose API keys or other secrets to other local users, backup processes, or later code changes.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: This code explicitly includes .env and source files in a backup set despite the skill's stated purpose being image generation/editing. That mismatch increases suspicion because it expands the skill's access to sensitive data and code artifacts without a functional need, raising the chance of credential leakage and unauthorized copying of local project contents.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The docstring describes a simple backup location, but the implementation also copies secrets and multiple project files. Misleading or incomplete documentation is dangerous in security-sensitive code because reviewers and users may underestimate what data the function touches, allowing risky behavior to persist unnoticed.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill states that local images are uploaded to AceData CDN to obtain public URLs, but it does not present this as a prominent privacy/security warning or explain that the URLs may be publicly accessible. For a skill handling user-supplied local images, silent or under-disclosed publication to a CDN can expose sensitive personal, commercial, or regulated content.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: When --api_key is supplied, the script silently persists the bearer token to .env. Storing credentials without an explicit warning or consent can surprise users, increase the lifetime of sensitive secrets on disk, and make those secrets easier to recover from the filesystem or backups.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The interactive token prompt also writes the bearer token to .env without clearly disclosing that the credential will be stored on disk. This creates avoidable credential-retention risk, especially because the same project also contains unrelated backup logic that targets .env files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal