gemini-cli
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the
geminicommand by interpolating untrusted user input directly into a shell string (e.g.,gemini "Your prompt"). This pattern is vulnerable to shell injection attacks where an attacker could use characters like;,&, or$()to execute arbitrary code on the host machine. - [EXTERNAL_DOWNLOADS]: The skill provides instructions to download and install the Gemini CLI from Google's official GitHub repository.
- [PROMPT_INJECTION]: The skill processes untrusted external data, creating an indirect prompt injection surface.
- Ingestion points: User-provided prompt strings and the content of local files piped into the command (e.g.,
cat file.txt). - Boundary markers: The documentation suggests wrapping prompts in double quotes, but no robust boundary markers or system instructions are present to prevent the model from obeying instructions embedded within the data.
- Capability inventory: The skill possesses the ability to execute subprocesses (the
geminiCLI) and read local files via shell piping. - Sanitization: No input validation or sanitization is performed on the user prompt or file content before it is executed in the shell context.
Recommendations
- AI detected serious security threats
Audit Metadata