baoyu-danger-gemini-web
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill programmatically extracts Google authentication cookies from the user's browser profiles. \n
- Evidence:
scripts/gemini-webapi/utils/load-browser-cookies.tsimplements a Chrome DevTools Protocol (CDP) client to callNetwork.getCookiesfor the purpose of obtaining__Secure-1PSIDand other session tokens. \n- [COMMAND_EXECUTION] (HIGH): The skill spawns browser processes with specific debugging flags that allow for programmatic control and session hijacking. \n - Evidence:
scripts/gemini-webapi/utils/load-browser-cookies.tsuseschild_process.spawnto launch browser binaries (Chrome, Edge, or Chromium) with the--remote-debugging-portand--user-data-dirflags. \n- [DATA_EXFILTRATION] (MEDIUM): The skill has the capability to read local files and transmit them to external endpoints. \n - Evidence:
scripts/gemini-webapi/utils/upload-file.tsreads local file content usingfs.promises.readFileand uploads it tohttps://content-push.googleapis.com/uploadusing thefetchAPI. \n- [PROMPT_INJECTION] (HIGH): The skill exhibits a significant indirect prompt injection surface due to high-privilege capabilities combined with untrusted data processing. \n - Ingestion points: Reads responses from the Gemini Web API (
scripts/gemini-webapi/utils/parsing.ts) and processes local files as prompts (SKILL.md). \n - Boundary markers: No boundary markers or 'ignore embedded instructions' delimiters are used. \n
- Capability inventory: Browser process spawning (
scripts/gemini-webapi/utils/load-browser-cookies.ts), cookie extraction via CDP, local file read/write access, and network operations. \n - Sanitization: Only basic HTML entity decoding is performed on API outputs in
scripts/gemini-webapi/types/candidate.ts.
Recommendations
- AI detected serious security threats
Audit Metadata