The Agent Skills Directory

COMMAND_EXECUTION (HIGH): Core instructions in SKILL.md and patterns.md recommend the '--yolo' (or '-y') flag for the Gemini CLI. This flag bypasses manual confirmation for tool execution, allowing the AI to autonomously modify the local filesystem and perform other high-risk operations without human oversight.
REMOTE_CODE_EXECUTION (HIGH): The combination of the '--yolo' auto-approval mode and data-ingestion tools such as 'google_web_search' and 'web_fetch' (documented in tools.md) creates a direct path for RCE. Maliciously crafted content from external web pages can provide instructions that the Gemini CLI will execute locally on the host machine.
EXTERNAL_DOWNLOADS (LOW): The skill instructs users to install the '@google/gemini-cli' package. Per the [TRUST-SCOPE-RULE], because the package originates from a Trusted External Source (Google), the download itself is classified as LOW severity, though its usage in the skill's workflows remains highly dangerous.
DATA_EXFILTRATION (MEDIUM): The 'codebase_investigator' tool and architectural analysis templates promote sending extensive local codebase data to external Google APIs. Users should be aware of the data privacy implications of transmitting sensitive internal source code to a third-party service.
PROMPT_INJECTION (LOW): The skill exhibits a significant attack surface for Indirect Prompt Injection.
Ingestion points: google_web_search, web_fetch, and local file reading via the '@' syntax (SKILL.md, tools.md).
Boundary markers: No specific delimiters or 'ignore' instructions are provided in the templates to separate trusted commands from untrusted data.
Capability inventory: Filesystem write access via 'gemini --yolo' and arbitrary shell execution via the host agent's 'Bash' tool.
Sanitization: No evidence of escaping or validating content retrieved from external sources before it is processed by the AI.

gemini-cli