research
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill explicitly instructs the agent to execute a bash command (
gemini -m gemini-2.5-flash -p "..."). While intended for searching, the inclusion of dynamic content in a shell command without explicit sanitization or parameterization poses a risk if malicious content from previous tool outputs influences the prompt string. - [COMMAND_EXECUTION] (MEDIUM): The skill writes research reports to
./plans/<plan-name>/reports/. The<plan-name>variable is dynamic and lacks validation, which could allow for path traversal attacks (e.g., using../../) to write files outside the intended directory. - [PROMPT_INJECTION] (LOW): This skill is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: External data enters the context via
WebSearch,docs-seeker(GitHub repository content), and the output of thegeminibash command. - Boundary markers: The instructions do not define any boundary markers or delimiters to separate untrusted data from system instructions.
- Capability inventory: The skill has the capability to execute bash commands (
gemini) and write files to the local filesystem. - Sanitization: There is no mention of sanitizing, escaping, or validating the content retrieved from external sources before it is used to generate the next search prompt or written to a report file.
Audit Metadata