扫描报告
5 /100
nano-banana2
Image generation skill using kexiangai.com API (imgEditNB2 endpoint) for text-to-image and image-to-image generation
Legitimate image generation skill with clear documentation, declared network access to a single external API, optional local key storage with proper file permissions (chmod 600), and standard shell/python execution for API calls.
可以安装
Skill is safe to use. Ensure users only enable --use-local-key after reviewing the local credential storage behavior. No action required.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md declares network access to https://agent.mathmind.cn/minimalist/api/img… |
| 文件系统 | NONE | READ | ✓ 一致 | SKILL.md documents ~/.config/nano-banana2/.env access only with --use-local-key … |
| 命令执行 | READ | READ | ✓ 一致 | SKILL.md command templates show bash execution; scripts/generate.sh executes cur… |
1 项发现
中危 外部 URL 外部 URL
https://agent.mathmind.cn/minimalist/api/imgEditNB2 SKILL.md:10 目录结构
4 文件 · 14.0 KB · 474 行 Markdown 2f · 323L
Shell 2f · 151L
├─
▾
references
│ └─
api-guide.md
Markdown
├─
▾
scripts
│ ├─
generate.sh
Shell
│ └─
set_key.sh
Shell
└─
SKILL.md
Markdown
安全亮点
✓ API endpoint clearly declared: https://agent.mathmind.cn/minimalist/api/imgEditNB2
✓ API key masked in logs per SKILL.md security requirements
✓ Parameter validation with safe fallbacks (aspectRatio → auto, imageSize → 1K)
✓ Anti-repeat call protection prevents duplicate API calls
✓ 10-minute timeout (600s) explicitly set to handle long generation times
✓ Local key storage sets chmod 600 on .env file for proper permissions
✓ set_key.sh reads key from TTY to avoid command-line history exposure
✓ Input sanitization using grep with regex to safely parse .env file
✓ No credential exfiltration or hidden data transmission observed
✓ No obfuscation, base64 execution, or suspicious patterns detected