Scan Report
5 /100
nano-banana2
Image generation skill using kexiangai.com API (imgEditNB2 endpoint) for text-to-image and image-to-image generation
Legitimate image generation skill with clear documentation, declared network access to a single external API, optional local key storage with proper file permissions (chmod 600), and standard shell/python execution for API calls.
Safe to install
Skill is safe to use. Ensure users only enable --use-local-key after reviewing the local credential storage behavior. No action required.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | SKILL.md declares network access to https://agent.mathmind.cn/minimalist/api/img… |
| Filesystem | NONE | READ | ✓ Aligned | SKILL.md documents ~/.config/nano-banana2/.env access only with --use-local-key … |
| Shell | READ | READ | ✓ Aligned | SKILL.md command templates show bash execution; scripts/generate.sh executes cur… |
1 findings
Medium External URL 外部 URL
https://agent.mathmind.cn/minimalist/api/imgEditNB2 SKILL.md:10 File Tree
4 files · 14.0 KB · 474 lines Markdown 2f · 323L
Shell 2f · 151L
├─
▾
references
│ └─
api-guide.md
Markdown
├─
▾
scripts
│ ├─
generate.sh
Shell
│ └─
set_key.sh
Shell
└─
SKILL.md
Markdown
Security Positives
✓ API endpoint clearly declared: https://agent.mathmind.cn/minimalist/api/imgEditNB2
✓ API key masked in logs per SKILL.md security requirements
✓ Parameter validation with safe fallbacks (aspectRatio → auto, imageSize → 1K)
✓ Anti-repeat call protection prevents duplicate API calls
✓ 10-minute timeout (600s) explicitly set to handle long generation times
✓ Local key storage sets chmod 600 on .env file for proper permissions
✓ set_key.sh reads key from TTY to avoid command-line history exposure
✓ Input sanitization using grep with regex to safely parse .env file
✓ No credential exfiltration or hidden data transmission observed
✓ No obfuscation, base64 execution, or suspicious patterns detected