gemini
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The wrapper script gemini-chat.sh invokes the gemini CLI tool with the --approval-mode yolo flag. This flag is designed to bypass security prompts for tool execution, allowing the LLM to execute arbitrary code or system commands automatically.\n- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8). \n
- Ingestion points: The skill documentation confirms it uses google_web_search and read_file to ingest untrusted data.\n
- Boundary markers: There are no boundary markers or instructions implemented in the wrapper script to separate user prompts from potentially malicious external data.\n
- Capability inventory: By enabling 'yolo' mode, the skill provides the model with full execution capabilities for any tool integrated with the CLI (e.g., shell access, file modification).\n
- Sanitization: No sanitization or validation is performed on the data retrieved from external sources.\n- [REMOTE_CODE_EXECUTION] (HIGH): The 'yolo' execution policy effectively creates a path for Remote Code Execution via proxy. An attacker-controlled webpage found during a search or a malicious file processed by the agent can contain hidden instructions that are executed on the host system without user oversight.
Recommendations
- AI detected serious security threats
Audit Metadata