Is nano-banana-pro safe?

https://clawhub.ai/steipete/nano-banana-pro

82
SAFE

Nano Banana Pro is a legitimate image generation/editing skill wrapping Google's Gemini 3 Pro Image API. The Python script is clean, well-structured, and does exactly what it claims. Minor concerns include loose dependency version pins for runtime installation via uv, API key exposure through CLI arguments, and the inherent ability to upload arbitrary image files to Google's API. No prompt injection, no data exfiltration attempts, no malicious clone behavior, and all canary files are intact.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (6)

LOW Runtime dependency installation via uv with loose version pins -15

The Python script uses PEP 723 inline metadata with loose version constraints (google-genai>=1.0.0, pillow>=10.0.0). When executed via 'uv run', dependencies are resolved and installed at runtime. Loose pins could pull in a compromised future version.

LOW API key exposed via command-line argument -10

The script accepts --api-key as a CLI argument. When the agent passes a user's API key this way, it becomes visible in process listings (ps aux) and shell history. The GEMINI_API_KEY environment variable path is safer.

LOW Arbitrary image file upload to external API -15

The --input-image parameter reads any image file from disk and sends it to Google's Gemini API for editing. While this is core functionality, it means the agent could be tricked (via social engineering or prompt injection from another skill) into uploading sensitive screenshots or documents saved as images.

INFO Skill provides behavioral instructions to agent -5

The SKILL.md instructs the agent to 'Always run from the user's current working directory', 'Do not read the image back', and to auto-select resolution. These are reasonable workflow optimizations, not injection attempts, but they do shape agent behavior in specific ways.

INFO Detailed prompt templates could override user intent -10

The skill includes generation and editing prompt templates that the agent is instructed to use 'when the user is vague'. This could subtly override user creative intent by injecting template language, though the skill explicitly says to 'Preserve user's creative intent'.

INFO Executable Python script included -15

The skill contains a Python script that is executed via 'uv run'. The script code has been reviewed and contains only standard image generation logic with no obfuscation, backdoors, or unexpected behavior.