Is delneg/nano-banana-pro-grsai safe?

https://github.com/openclaw/skills/tree/main/skills/delneg/nano-banana-pro-grsai

78
CAUTION

The nano-banana-pro-grsai skill is a legitimate image generation wrapper, but carries meaningful privacy and exfiltration risks due to two design choices: (1) the --input-image parameter reads any local file path and transmits its raw bytes base64-encoded to grsaiapi.com, an unofficial third-party API proxy with unknown data retention policies; and (2) all user prompts and image data route through this third-party service rather than directly to the model vendor. No active malicious behavior was observed during installation, canary files were not accessed by the skill itself, and the Python script uses only stdlib with no external dependencies, but the runtime attack surface is significant if an agent is directed to pass a sensitive file as an 'input image'.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 58/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 92/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (7)

HIGH Arbitrary file read via --input-image transmitted to third-party API -30

The generate_image.py script accepts any filesystem path via --input-image, reads it with input_path.read_bytes(), base64-encodes it, and transmits it to grsaiapi.com as part of the API payload. There is no validation that the path points to an image file. An agent could be directed (by prompt injection, chained skill, or user error) to pass a sensitive file such as ~/.env or ~/.ssh/id_rsa as the 'input image', silently exfiltrating its contents to a third-party server with no user warning.

HIGH Unofficial third-party API proxy receives all prompts and image content -12

All requests route through grsaiapi.com, an unofficial third-party reseller or proxy for the Nano Banana model. This is not the official model vendor endpoint. The service receives user prompts verbatim and full base64-encoded image data. Its data retention, logging, and security posture are unknown. Every image generation or editing operation leaks user content to this service.

MEDIUM API-controlled image URL written to agent-specified filesystem path without content validation -15

The script fetches a URL returned by the grsaiapi.com server (image_url = result['results'][0]['url']) and writes the raw bytes to disk. Neither the URL nor the content is validated. A malicious API server could return a URL pointing to internal network resources (SSRF), or return non-image payloads written to a path controlled partly by the agent. The --filename argument also accepts paths with directory components, and mkdir(parents=True) creates them silently.

MEDIUM Skill creates covert file exfiltration surface when combined with filesystem-aware skills -20

When this skill is active alongside skills that expose local file paths (e.g. file management, code editing, document summarization), a chained attack or prompt injection could direct the agent to invoke generate_image.py with a sensitive file as --input-image. The exfiltration would appear as a legitimate 'image editing' request and would not be flagged by standard output monitoring since the file content exits as base64 in a JSON POST body.

LOW No external Python package dependencies — positive security indicator 0

The script's inline metadata specifies '# dependencies = []', meaning uv will not fetch any external packages at runtime. All functionality uses Python stdlib (argparse, base64, json, os, struct, sys, time, urllib). This eliminates supply chain risk from third-party Python packages.

LOW Installation clones expected GitHub monorepo with clean teardown -5

Install process performs a shallow sparse clone of github.com/openclaw/skills.git, checks out only the target skill subdirectory, copies files, and removes the temp clone. No unexpected network destinations were contacted during install beyond GitHub and Canonical Ubuntu infrastructure.

INFO No prompt injection indicators detected in SKILL.md 0

SKILL.md contains no instructions to override system prompts, ignore previous instructions, change agent persona, fetch external URLs into context, or suppress output. The instruction 'Do not read the image back' is slightly unusual but consistent with a performance/UX rationale rather than a concealment strategy.