multi-model-discovery
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill instructions in both README.md and SKILL.md promote executing shell commands with direct string interpolation of user goals (e.g.,
bash -lc "gemini '... {goal} ...'"). This creates a critical command injection vulnerability where a user or malicious data can execute arbitrary code by injecting shell metacharacters like semicolons or backticks. - [PROMPT_INJECTION] (HIGH): This skill is vulnerable to Indirect Prompt Injection (Category 8). It is designed to fetch external content via Google Search and provide it to the agent for synthesis. Because the agent has 'Bash' and 'Write' capabilities and the prompt lacks boundary markers or instructions to ignore embedded commands in the search results, an attacker can hijack the agent by poisoning web pages. The inclusion of the 'Kanitsal Cerceve' (Evidential Framework) preamble is also a known pattern for attempting to bypass safety filters by forcing an 'evidential' persona.
- [DATA_EXFILTRATION] (MEDIUM): The 'Library-First Protocol' directs the agent to scan all directories in
D:\Projects\*and specific local config files. This constitutes an over-privileged search mandate that exposes sensitive local project data to the agent's context, which could then be exfiltrated through the integrated network-enabled tools. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill relies on external scripts (
delegate.sh,gemini-yolo.sh) located in local directories that are not provided within the skill's source files, creating an unverifiable and potentially dangerous execution dependency.
Recommendations
- AI detected serious security threats
Audit Metadata