gemini
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides instructions for using
gemini skills install <source>andgemini extensions install <source>(documented inSKILL.mdandreferences/command-patterns.md). These commands allow the agent to download and install executable code from arbitrary, unverifiable remote sources. - [COMMAND_EXECUTION]: The skill explicitly documents and allows the use of
--approval-mode yolo(found inSKILL.mdandreferences/command-patterns.md). This mode bypasses human-in-the-loop safety checks by automatically approving all tool executions, including potentially destructive commands or file modifications. - [PROMPT_INJECTION]: The skill presents a significant indirect prompt injection surface (Category 8). Ingestion points: Retreives external data from files via the
@pathsyntax and from the web via the-e web_searchextension. Boundary markers: None provided; the skill does not instruct the agent to distinguish between its own logic and instructions found in external data. Capability inventory: Powerful capabilities include file modification (--approval-mode auto_edit), remote skill/extension installation, and network access. Sanitization: No validation or sanitization of ingested content is performed before it is processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata