gemini-research
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted external data from Google Search via Gemini and feeds it to a 'Coder' agent with instructions to 'Implement using: ${research.content}'. 1. Ingestion points: External data processed by gemini-research.sh. 2. Boundary markers: None present. 3. Capability inventory: Bash, Write, Read tools allowed. 4. Sanitization: None present. This allows attackers to poison web content to inject malicious code into the agent's workspace.
- Data Exposure (MEDIUM): The 'Library-First Protocol' mandates the agent search 'D:\Projects*' for code reuse. This is an overly broad file access instruction that could expose sensitive source code, environment files, or credentials across the user's entire drive.
- Unverifiable Command Execution (MEDIUM): The skill executes a local shell script 'scripts/multi-model/gemini-research.sh' passing the raw user query as an argument. Since the script content is not provided, the safety of its input handling and the potential for shell injection cannot be audited.
Recommendations
- AI detected serious security threats
Audit Metadata