gemini-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly supports fetching and ingesting untrusted web content (e.g., the @https:// URL reference syntax in references/commands.md, built-in tools "web_fetch" and "google_web_search" in references/commands.md, installing extensions from GitHub URLs in SKILL.md/references/mcp-and-extensions.md, and remote MCP servers via httpUrl/SSE), and those external pages/extensions/GEMINI.md contexts are loaded and merged into prompts/workflow so third-party content can materially influence model actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly supports fetching remote content at runtime that can control prompts or execute code (e.g., using @https://github.com/org/repo/README.md in a prompt to inject remote content, and gemini extensions install https://github.com/GoogleCloudPlatform/cloud-run-mcp to fetch/install an extension that may include GEMINI.md context and MCP servers that run code), so these URLs present a runtime risk.