gemini
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill explicitly instructs the agent to use
--approval-mode yolo(or the-yflag) for background tasks to prevent the process from hanging. This flag bypasses manual approval for tools executed by the Gemini CLI. If the CLI has the capability to write files or execute system commands, this recommendation removes the primary security barrier against malicious tool usage. - PROMPT_INJECTION (LOW): The skill is highly susceptible to Indirect Prompt Injection (Category 8) due to its core function of processing untrusted external data.
- Ingestion points: The skill reads "entire codebases", "documentation sets", and additional directories specified via
--include-directories. - Boundary markers: No boundary markers (like XML tags or delimiters) or instructions to ignore embedded commands are included in the recommended prompts.
- Capability inventory: The CLI possesses powerful capabilities including automatic file editing (
auto_edit) and full tool execution (yolo). - Sanitization: There is no evidence of sanitization or filtering of the content being read from the workspace before it is processed by the model.
- COMMAND_EXECUTION (LOW): The skill provides instructions for using system monitoring and process management tools (
ps,lsof,pkill,kill -9) to manage hung processes. While these are used for legitimate troubleshooting of thegeminiprocess, they involve forceful termination of processes based on string matching.
Audit Metadata