baoyu-danger-gemini-web
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill spawns browser processes (Chrome, Edge, or Chromium) using
child_process.spawninscripts/gemini-webapi/utils/load-browser-cookies.ts. It uses the--remote-debugging-portflag to enable the Chrome DevTools Protocol (CDP), allowing the script to automate the browser and programmatically extract session cookies.\n- CREDENTIALS_UNSAFE (MEDIUM): The skill manages sensitive Google session cookies (__Secure-1PSID,__Secure-1PSIDTS). These are stored in a local JSON file (cookies.json) in the user's application data directory and cached in temporary text files (.cached_1psidts_*.txt). This storage of long-lived session credentials in the filesystem creates a local exposure surface.\n- DATA_EXFILTRATION (LOW): Inscripts/gemini-webapi/utils/upload-file.ts, the skill reads local files and uploads them tohttps://content-push.googleapis.com/upload. This is the intended behavior for processing reference images for Gemini's vision capabilities, but it constitutes a network transmit operation of local file data.\n- PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection through the ingestion of untrusted local data.\n - Ingestion points: User-provided file paths via
--promptfilesand reference images via--referenceinSKILL.md.\n - Boundary markers: None; the skill concatenates file content into the API request payload without delimiters or 'ignore' instructions.\n
- Capability inventory:
spawn(process execution),writeFile(image persistence),readFile(file ingestion), andfetch(external data transmission).\n - Sanitization: No input sanitization or delimiter protection was detected for the interpolation of external file content into the AI prompt.
Audit Metadata