Is nano-banana-pro safe?

https://clawhub.ai/skill/nano-banana-pro

84
SAFE

nano-banana-pro is a straightforward image generation/editing skill that wraps Google's Gemini 3 Pro Image API via a Python script. It contains no prompt injection, hidden instructions, or malicious code. The primary risk surfaces are standard for API-wrapper skills: user content is sent to an external API (Google), dependencies are auto-installed via uv, and the API key passes through the script. No canary files were accessed and no suspicious clone-time behavior was detected.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (6)

LOW Auto-dependency installation via uv run -10

The skill uses 'uv run' with inline script dependencies (google-genai>=1.0.0, pillow>=10.0.0), which causes automatic download and installation of packages from PyPI on first execution. While these are legitimate, well-known packages, auto-installation introduces a supply chain dependency.

LOW User content sent to external API -10

The script sends user-provided text prompts and optionally user images to Google's Gemini API (generativelanguage.googleapis.com). This is the expected and disclosed behavior of the skill, but users should be aware that their content is transmitted to Google's servers.

LOW API key handling in script -10

The GEMINI_API_KEY is read from environment variables or CLI arguments and passed to the Google genai client. While necessary, if the agent passes the key via --api-key CLI argument, it could appear in process listings or shell history.

LOW Directory creation via filename parameter -15

The script creates parent directories for the output file path (output_path.parent.mkdir(parents=True, exist_ok=True)). While agent-controlled, a crafted filename could create directories in unexpected locations.

INFO Skill instructs specific execution patterns -5

The SKILL.md instructs the agent to use absolute paths, run from the user's working directory, and follow a specific draft-iterate-final workflow. These are reasonable operational instructions that do not override system behavior.

INFO Lock file references different skill -10

The .clawhub/lock.json references 'academic-research-hub' rather than 'nano-banana-pro', suggesting a shared skill installation environment. This is likely an artifact of the test environment rather than a security concern.