baoyu-danger-gemini-web

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill directly fetches and parses responses from external Gemini endpoints (e.g., Endpoint.GENERATE at https://gemini.google.com/.../StreamGenerate and batch/gem endpoints) and downloads/parses web/generated images from googleusercontent URLs, and the agent reads candidate.text, thoughts, web_images and generated_images as part of its workflow—exposing it to untrusted third-party content that could contain indirect prompt-injection.