gemini-codebase-onboard
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill employs 'Kanitsal Cerceve (Evidential Frame Activation)' and 'Kaynak dogrulama modu etkin' in SKILL.md. This is a non-standard framing technique, using foreign languages and specialized terminology to force the model into a specific state, often used to bypass safety filters.
- [INDIRECT_PROMPT_INJECTION] (HIGH):
- Ingestion points: The skill reads the entire codebase using
gemini --all-files(SKILL.md, README.md). - Boundary markers: No boundary markers or 'ignore embedded instructions' warnings are present to isolate the untrusted codebase content.
- Capability inventory: The skill allows high-privilege tools including
Bash,Write, andEdit(SKILL.md). - Sanitization: No sanitization is performed. Malicious instructions inside the codebase could influence the agent's logic during the subsequent 'IMPLEMENT' phase, leading to unauthorized actions.
- [COMMAND_EXECUTION] (HIGH): The skill uses
bash -lcto execute commands that include user-provided query strings and external file content. The 'gemini-yolo.sh' script suggests a 'YOLO' (You Only Look Once/Live Once) approach, which often implies bypassing safety confirmations or checks. - [METADATA_POISONING] (MEDIUM): The
x-verix-descriptionfield uses pseudo-technical assertive language ([assert|neutral],[state:confirmed]) to trick automated analyzers or the model into assuming the skill is verified and safe, violating the principle of authoritative self-claims.
Recommendations
- AI detected serious security threats
Audit Metadata