research
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill is configured to execute the 'gemini' bash command to perform technical searches. While this is the intended functionality for the research task, constructing shell commands with dynamically generated prompts introduces a potential command injection surface if the execution environment fails to sanitize arguments.
- [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection because it ingests and analyzes data from attacker-controlled external sources (web and GitHub).
- Ingestion points: Untrusted data enters the agent context via the 'WebSearch' tool, output from the 'gemini' CLI research prompts, and GitHub repository content fetched by the 'docs-seeker' skill.
- Boundary markers: There are no explicit instructions or delimiters used to separate external, untrusted content from the agent's internal analysis logic.
- Capability inventory: The skill has access to bash command execution ('gemini') and the ability to write files to the local filesystem ('.reports/plans/...').
- Sanitization: No sanitization, escaping, or validation of the retrieved external content is performed before the agent processes it or writes it to the local reports.
Audit Metadata