扫描报告
0 /100
nano-banana2
Image generation skill (text-to-image and image-to-image) using the kexiangai.com API
Legitimate image generation skill that calls a documented API endpoint, stores credentials in a user-specified config path, and is fully transparent about all capabilities in SKILL.md.
可以安装
No action needed. The skill is safe to use.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md lines 97-106: curl to https://agent.mathmind.cn/minimalist/api/imgEditN… |
| 文件系统 | WRITE | WRITE | ✓ 一致 | SKILL.md lines 62-72: writes to ~/.config/nano-banana2/.env |
| 环境变量 | READ | READ | ✓ 一致 | SKILL.md lines 55-60: reads X_API_KEY from environment |
| 命令执行 | WRITE | WRITE | ✓ 一致 | scripts/generate.sh: executes curl commands for API calls |
1 项发现
中危 外部 URL 外部 URL
https://agent.mathmind.cn/minimalist/api/imgEditNB2 SKILL.md:100 目录结构
4 文件 · 10.8 KB · 404 行 Markdown 2f · 296L
Shell 2f · 108L
├─
▾
references
│ └─
api-guide.md
Markdown
├─
▾
scripts
│ ├─
generate.sh
Shell
│ └─
set_key.sh
Shell
└─
SKILL.md
Markdown
安全亮点
✓ All capabilities explicitly declared in SKILL.md
✓ API endpoint fully documented with request/response structure
✓ Credential storage path clearly specified (~/.config/nano-banana2/.env) with proper chmod 600
✓ No base64/eval/hidden instructions found
✓ No credential exfiltration — API key is used only for the intended API call
✓ No iteration over environment variables for sensitive keys
✓ No remote script execution (curl|bash or wget|sh patterns absent)
✓ Shell scripts are straightforward wrappers around documented curl commands
✓ No sensitive paths accessed beyond the explicitly declared config directory
✓ Input validation and error handling are documented