gemini
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (LOW): This skill has a significant attack surface for indirect prompt injection.
- Ingestion points: The skill is designed to process entire codebases, documentation sets, and architectural plans (e.g., via
--include-directories). - Boundary markers: No specific boundary markers or instructions to ignore embedded commands within the processed data are provided.
- Capability inventory: The CLI tool has the ability to execute tools/actions, as evidenced by the
auto_editandyoloapproval modes. It also uses system utilities likepkill,kill, andps. - Sanitization: No evidence of sanitization or filtering of the ingested data is present.
- Command Execution (MEDIUM): The skill encourages the use of the
--approval-mode yoloflag for non-interactive sessions. This mode explicitly disables human-in-the-loop for actions taken by the model, which is a high-risk configuration when the input (codebase) is untrusted. - Data Exfiltration (LOW): By design, this skill sends large portions of a workspace or codebase (up to 200k+ tokens) to external Google Gemini API endpoints for processing. While this is the intended purpose of the tool, users should be aware of the data exposure to a third-party service.
- Metadata Poisoning (MEDIUM): The skill references non-existent model versions such as 'gemini-3-pro-preview' and 'gemini-2.5-pro'. This misleading information could lead users to install or use unverified versions of a CLI tool or configurations that do not align with official releases, potentially leading to the execution of untrusted binaries.
Audit Metadata