Scan Report
0 /100
nano-banana2
Image generation skill (text-to-image and image-to-image) using the kexiangai.com API
Legitimate image generation skill that calls a documented API endpoint, stores credentials in a user-specified config path, and is fully transparent about all capabilities in SKILL.md.
Safe to install
No action needed. The skill is safe to use.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | SKILL.md lines 97-106: curl to https://agent.mathmind.cn/minimalist/api/imgEditN… |
| Filesystem | WRITE | WRITE | ✓ Aligned | SKILL.md lines 62-72: writes to ~/.config/nano-banana2/.env |
| Environment | READ | READ | ✓ Aligned | SKILL.md lines 55-60: reads X_API_KEY from environment |
| Shell | WRITE | WRITE | ✓ Aligned | scripts/generate.sh: executes curl commands for API calls |
1 findings
Medium External URL 外部 URL
https://agent.mathmind.cn/minimalist/api/imgEditNB2 SKILL.md:100 File Tree
4 files · 10.8 KB · 404 lines Markdown 2f · 296L
Shell 2f · 108L
├─
▾
references
│ └─
api-guide.md
Markdown
├─
▾
scripts
│ ├─
generate.sh
Shell
│ └─
set_key.sh
Shell
└─
SKILL.md
Markdown
Security Positives
✓ All capabilities explicitly declared in SKILL.md
✓ API endpoint fully documented with request/response structure
✓ Credential storage path clearly specified (~/.config/nano-banana2/.env) with proper chmod 600
✓ No base64/eval/hidden instructions found
✓ No credential exfiltration — API key is used only for the intended API call
✓ No iteration over environment variables for sensitive keys
✓ No remote script execution (curl|bash or wget|sh patterns absent)
✓ Shell scripts are straightforward wrappers around documented curl commands
✓ No sensitive paths accessed beyond the explicitly declared config directory
✓ Input validation and error handling are documented