gemini-claude-loop
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions in
SKILL.mdandreferences/commands.mdfrequently use shell command interpolation (e.g.,$(cat .gemini-loop/plan.md)) to inject file contents into the parameters of thegeminiCLI. This pattern can lead to command injection if the files being read (which may be generated by another AI or exist in the codebase) contain shell metacharacters like backticks, semicolons, or dollar signs intended to break out of the command string.\n- [PROMPT_INJECTION]: The workflow creates an indirect prompt injection surface (Category 8) by passing project source code and implementation plans to the Gemini model for review. Malicious instructions hidden in the codebase could potentially manipulate the behavior of the reviewing agent.\n - Ingestion points: Files located in the
.gemini-loop/directory and the project's./srcdirectory.\n - Boundary markers: The prompt templates provided in
references/commands.mdlack strong boundary markers or "ignore instructions" directives to separate context from instructions.\n - Capability inventory: The skill possesses capabilities for shell command execution (
geminiCLI) and file system read/write access.\n - Sanitization: There is no evidence of sanitization, escaping, or validation of the file content before it is interpolated into shell commands and model prompts.
Audit Metadata