baoyu-gemini-web
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE] (MEDIUM): The skill automates the extraction and local storage of Google authentication cookies from the user's Chrome profile to authenticate with the reverse-engineered Gemini API. These sensitive credentials are saved in application support directories (e.g.,
~/Library/Application Support/baoyu-skills/gemini-web). - [COMMAND_EXECUTION] (MEDIUM): The skill relies on
npx -y bunto execute local TypeScript files (scripts/main.ts). This gives the skill's scripts the ability to execute arbitrary code with the user's privileges. The actual content of these scripts is not provided in the primary markdown file for verification. - [EXTERNAL_DOWNLOADS] (LOW): The use of
npx -y bunwill dynamically download the Bun runtime from the npm registry if it is not already present on the system. - [DATA_EXPOSURE] (LOW): Chat sessions, including prompts and responses, are stored in plain JSON files in the user's home directory, which could be accessible to other local processes.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill accepts external data through
--promptfilesand--referenceimage flags. - Ingestion points: Files passed to
--promptfilesand vision data via--reference. - Boundary markers: None specified in the documentation.
- Capability inventory: File writing (images/sessions), network access (Google Gemini), and subprocess execution (npx/bun).
- Sanitization: No evidence of sanitization for ingested file content before it is sent to the LLM.
Audit Metadata