baoyu-danger-gemini-web

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill performs live HTTP requests to public Gemini/Google endpoints (e.g., Endpoint.GENERATE and BATCH_EXEC at gemini.google.com in scripts/gemini-webapi/client.ts and fetches "custom" gems in scripts/gemini-webapi/components/gem-mixin.ts), parses untrusted model/candidate text and web_image URLs from those responses, and even downloads external image URLs (scripts/gemini-webapi/types/image.ts), so it clearly ingests and interprets third-party user/website content.