research
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill directs the agent to execute a bash command using the
geminiCLI tool with a dynamically constructed parameter:gemini -m gemini-2.5-flash -p "...your search prompt...". This pattern is highly vulnerable to shell injection if the generated prompt contains shell metacharacters such as semicolons, backticks, or command substitution syntax. - [PROMPT_INJECTION] (HIGH): The skill has a high Indirect Prompt Injection (Category 8) risk because its core purpose is to ingest untrusted data from external sources.
- Ingestion points: Web search results and content from GitHub repositories via
WebSearchanddocs-seeker. - Boundary markers: The skill lacks any instructions to use delimiters or to treat the retrieved content as untrusted data that should not be followed as instructions.
- Capability inventory: The skill has the capability to execute shell commands (
gemini) and write files (Report:path) to the local system. - Sanitization: There is no evidence of sanitization or filtering of the external content before it is processed by the agent.
- [EXTERNAL_DOWNLOADS] (LOW): The skill retrieves data from the internet. While it uses tools like
WebSearch, the content fetched is inherently untrusted and provides the primary attack vector for poisoning the agent's behavior.
Recommendations
- AI detected serious security threats
Audit Metadata