baoyu-danger-gemini-web

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and parses live responses from gemini.google.com (see generate_content in scripts/gemini-webapi/client.ts and fetch_gems in scripts/gemini-webapi/components/gem-mixin.ts), extracts arbitrary text, metadata and URLs from those responses and then follows/downloads those URLs (types/image.ts GeneratedImage.save()/Image.save()) and uses the parsed text/metadata to drive chat state and subsequent requests, meaning untrusted third-party/user-generated content can materially influence tool actions.