gemini-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly supports fetching and interpreting arbitrary public web content (built-in tools "google_web_search" and "web_fetch" and the @ URL reference syntax) with concrete examples in SKILL.md and references/commands.md (e.g., "Summarize @https://github.com/org/repo/README.md" and @https://... usage), so untrusted third-party pages and extensions can be ingested and used to drive tool actions and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly supports runtime fetching of external URLs into prompts using the @ syntax (e.g., gemini -p "Summarize @https://github.com/org/repo/README.md"), so https://github.com/org/repo/README.md can be fetched at runtime and directly control the agent prompt/context.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.40). The skill enables running shell commands, global installs, auto-accept/YOLO mode, and installing remote extensions (all of which can execute or write code and modify the local user environment), but it does not instruct privilege escalation, editing privileged system files, or creating new user accounts.