baoyu-danger-gemini-web
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes
node:child_process(spawnandexecSync) to execute system commands. This includes launching web browser executables with remote debugging enabled and interacting with the Windows command prompt (cmd.exe) and WSL utilities for path resolution. - [CREDENTIALS_UNSAFE]: The skill programmatically captures, stores, and rotates highly sensitive Google session cookies (
__Secure-1PSIDand__Secure-1PSIDTS). These credentials are saved to a localcookies.jsonfile and grant the skill full access to the user's Gemini web session. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface. Ingestion points: user-supplied prompts, referenced files via the
--promptfilesargument, and responses from the reverse-engineered Gemini Web API. Boundary markers: absent. Capability inventory: local file system access (writing images, cookies, and session logs), network operations to Google services, and system command execution for browser automation across multiple scripts. Sanitization: absent (uses only basic HTML entity decoding). - [EXTERNAL_DOWNLOADS]: Neutrally fetches image assets and configuration data from official Google domains, including
gemini.google.comandgoogleusercontent.com, to facilitate image generation and vision features.
Audit Metadata