gemini-3-image-generation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains code examples that require embedding API keys directly as literal strings (e.g., genai.configure(api_key="YOUR_API_KEY") and new GoogleGenerativeAI("YOUR_API_KEY")), which instructs replacing placeholders with real secrets and thus would require the LLM to handle/output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly enables Google Search grounding (see tools=[{"google_search_retrieval": {}}] in references/grounded-generation.md and scripts/grounded-gen.py), which fetches and uses untrusted public web content as grounding sources for image generation, exposing the agent to potential indirect prompt injection.