gemini
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill dynamically constructs shell commands using strings derived from user input. In
SKILL.md, the instructiongemini -p "<english-prompt>"suggests direct interpolation of a prompt into a bash command. Without strict escaping of shell metacharacters (e.g., semicolons, backticks, or pipes), a malicious user prompt could result in arbitrary command execution on the local host.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) as it is designed to ingest and process untrusted data. - Ingestion points: External data, such as codebase content and documentation, is ingested and passed to the Gemini CLI as part of an English prompt (see
SKILL.mdStep 2). - Boundary markers: The skill suggests using English formulations and specific execution flags like
--approval-mode planto scope the task, but lacks formal structural sanitization or delimiters for the ingested data. - Capability inventory: The agent possesses
Bash,Read, andWritecapabilities. If the downstream model's output is manipulated via injected instructions in the processed files, it could lead to unauthorized file modifications or command execution. - Sanitization: The skill mandates that output be treated as untrusted and requires user confirmation for destructive commands, which serves as a critical human-in-the-loop mitigation.- [EXTERNAL_DOWNLOADS]: The skill relies on and references the
geminiCLI tool. As this is a well-known technology service, the reference is documented neutrally. The skill includes a prerequisite check (gemini --version) to ensure the tool is present locally before attempting delegation.
Audit Metadata