中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
nanobanana-image-generation
Gemini-compatible image generation and scientific figure plotting
This is a legitimate AI skill for Gemini-compatible image generation and scientific figure plotting. The pre-scan flagged base64 encoding as critical, but this is standard API behavior for decoding returned images. Placeholder API key examples in documentation are not actual credentials.
技能名称nanobanana-image-generation
分析耗时31.8s
引擎pi
可以安装
This skill is safe to use. No security concerns identified.

安全发现 2 项

严重性 安全发现 位置
提示
Pre-scan IOC: base64 encoding flagged as critical 文档欺骗
The pre-scan flagged Buffer.from(data, 'base64') at line 330 as suspicious base64 encoding. This is legitimate code that decodes base64 image responses from the Gemini API. It is not obfuscation or malicious encoding.
fs.writeFileSync(filePath, Buffer.from(inlineData.data, "base64"));
→ This is expected API behavior, not a security issue.
 scripts/generate_image.js:330
提示
Pre-scan IOC: API key placeholders in documentation 文档欺骗
SKILL.md contains examples like 'your-provider-key', 'your_provider_api_key', and 'your_zzz_api_key'. These are documented placeholder values for configuration examples, not actual credentials.
export NANOBANANA_API_KEY="your-provider-key"
→ These are documentation examples, not hardcoded credentials.
 SKILL.md:59
资源类型声明权限推断权限状态证据
文件系统 READ WRITE ✓ 一致 Local file writes for output images
网络访问 READ READ ✓ 一致 POST to Gemini API endpoint only
命令执行 NONE NONE No subprocess or shell execution in any script
环境变量 READ READ ✓ 一致 Only reads NANOBANANA_* prefixed env vars
1 严重 3 高危 5 项发现
🔒
严重 编码执行 Base64 编码执行(代码混淆)
Buffer.from(inlineData.data, "base64"
scripts/generate_image.js:330
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY="your-provider-key"
SKILL.md:59
🔑
高危 API 密钥 疑似硬编码凭证
api_key="your_provider_api_key"
SKILL.md:217
🔑
高危 API 密钥 疑似硬编码凭证
api_key="your_zzz_api_key"
SKILL.md:222
🔗
中危 外部 URL 外部 URL
https://api.zhizengzeng.com/google
SKILL.md:67

目录结构

15 文件 · 97.8 KB · 2602 行
Markdown 8f · 1264L Python 4f · 965L JavaScript 1f · 348L JSON 1f · 18L YAML 1f · 7L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 7L · 361 B
├─ 📁 references
│ ├─ 📝 api-reference.md Markdown 121L · 3.0 KB
│ ├─ 📝 materials-science-figure-template.md Markdown 167L · 9.9 KB
│ ├─ 📋 materials-science-figure-templates.json JSON 18L · 9.6 KB
│ ├─ 📝 natural-language-plot-workflow.md Markdown 148L · 3.6 KB
│ ├─ 📝 prompt-templates.md Markdown 46L · 2.4 KB
│ ├─ 📝 publication-chart-patterns.md Markdown 99L · 2.4 KB
│ ├─ 📝 publication-figure-design.md Markdown 81L · 2.4 KB
│ └─ 📝 publication-plot-api.md Markdown 254L · 4.8 KB
├─ 📁 scripts
│ ├─ 🐍 build_materials_figure_prompt.py Python 71L · 2.4 KB
│ ├─ 🐍 build_plot_spec.py Python 198L · 6.2 KB
│ ├─ 📜 generate_image.js JavaScript 348L · 9.4 KB
│ ├─ 🐍 generate_image.py Python 306L · 10.5 KB
│ └─ 🐍 plot_publication_figure.py Python 390L · 13.4 KB
└─ 📝 SKILL.md Markdown 348L · 17.4 KB

安全亮点

✓ HTTPS enforcement on all API endpoints
✓ Third-party endpoint requires explicit --allow-third-party flag
✓ No shell execution or subprocess usage
✓ No credential exfiltration or data theft patterns
✓ Plot mode is fully local with no network access
✓ API keys can be stored in files to avoid command history exposure
✓ Scripts use standard library only (no external dependencies with supply chain risk)
✓ Clear separation between image mode (network) and plot mode (local)