nano-banana — agentic threat model
nano-banana is a low-autonomy image generation plugin for Claude Code, but its execution within a developer's local CLI environment introduces risks of local context exposure and tool-chain compromise if upstream APIs or search grounding inputs are manipulated.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Utilizes Claude Code as the host LLM and Google Gemini image models (gemini-2.5-flash-image, gemini-3-pro-image-preview). Primary threats include adversarial prompt injection to bypass safety filters on image generation or trigger misaligned outputs.
Processes multi-reference images and performs search grounding. Risks include data poisoning via malicious search results and embedding inversion or metadata exploits from untrusted reference images.
Orchestrated as a Claude Code plugin executing the `/genimage` command. Vulnerable to insecure tool integration and command injection if arguments passed to the plugin are not strictly sanitized.
Not certain from the listing — likely runs locally as a Claude Code CLI plugin, inheriting the local host's security posture and relying on external Gemini API endpoints.
Not certain from the listing — no explicit mention of logging, content moderation guardrails, or output verification for generated images.
Not certain from the listing — security controls likely depend entirely on the host environment (Claude Code) and the upstream Gemini API authentication/policies.
Operates as a plugin within Claude Code (an agentic CLI tool). This creates an agent-to-agent trust boundary where a compromise in the plugin could lead to local terminal exploitation if Claude Code trusts its outputs implicitly.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).