Is cnemri/google-genai-skills safe?
https://github.com/cnemri/google-genai-skills
This is a legitimate Google GenAI SDK skills collection with no prompt injection, no exfiltration, and clean clone behavior. However, a deliberate discrepancy between documented and actual safety filter defaults (BLOCK_MEDIUM_AND_ABOVE in docs vs BLOCK_NONE in code) is a significant concern that could enable generation of harmful content without user awareness. The skills are broadly safe to use but require awareness of the safety filter mismatch and automatic package installation behavior.
Category Scores
Findings (8)
HIGH Safety Filter Default Contradicts Documentation -18 ▶
The SKILL.md for nano-banana-use states the safety filter default is BLOCK_MEDIUM_AND_ABOVE, but generate_image.py, edit_image.py, and compose_image.py all set argparse default to BLOCK_NONE. This deliberate discrepancy means agents following the skill's stated defaults will silently send requests with all client-side safety filters disabled.
MEDIUM Undisclosed Automatic Python Package Installation via uv -8 ▶
All nano-banana-use and veo-use/speech-use scripts use uv run with PEP 723 inline metadata blocks that cause uv to automatically download and install google-genai, python-dotenv, and pillow from PyPI when the agent executes them. This is not disclosed in any SKILL.md.
MEDIUM Agent Instructed to Execute Shell Commands via run_shell_command -7 ▶
google-adk-python/SKILL.md explicitly instructs the agent: 'You can read the content of the linked files using web_fetch or run_shell_command with curl if you need to provide the actual content to the user.' This instructs the agent to use a shell execution tool to fetch external URLs, expanding the attack surface beyond read-only operations.
LOW Scripts Call load_dotenv() Reading .env From Working Directory -10 ▶
All Python scripts import and call load_dotenv() at module level, which searches for and reads .env files from the working directory and parent directories. When the agent runs these scripts from a project root containing a .env file with unrelated secrets, those secrets are loaded into the script's environment.
LOW Voice Cloning Script Requires Audio Consent File But No Agent-Level Enforcement -12 ▶
create_custom_voice.py accepts a --consent-audio argument but performs no server-side validation that the speaker consented. An agent could be directed to clone voices without proper consent verification, with only a documentation note as a guard.
LOW Autonomous Deep Research Can Exfiltrate Context Via Query Strings -10 ▶
The deep-research skill instructs agents to pass arbitrary research queries and local files (including entire directories) to the Gemini Deep Research API. Sensitive local context uploaded via --file flag leaves the local environment and is processed by Google's API infrastructure.
INFO Clone Behavior Normal — GitHub Only -5 ▶
Network monitoring confirmed the git clone connected only to GitHub (140.82.121.4:443). No unexpected outbound connections, no new listeners, and the connection diff shows no persistent changes post-install.
INFO All Canary Files Intact 0 ▶
Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed only by the audit infrastructure during setup (timestamp 1782143977, before the clone at 1782143982). The skill code never accessed them.