gemini-researcher
Fail
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The bash script
bin/gemini-researcheris vulnerable to shell command injection. The variables$MODEL_ARGand$PASS_ARGSare expanded without quotes in the linegemini $MODEL_ARG $PASS_ARGS "$full_prompt". An attacker or a malicious prompt could provide input (e.g., for the--modelflag) containing shell metacharacters like;,&, or|to execute arbitrary commands on the host system.- [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of the@google/gemini-clipackage from npm. This is an official tool from a trusted organization used for its intended purpose.- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it lacks safeguards when processing user data. - Ingestion points: User-supplied research topics, content, and URLs in
bin/gemini-researcher. - Boundary markers: Absent; templates like
DEEP_TEMPLATEandSUMMARY_TEMPLATEuse direct interpolation without delimiters or instructions to ignore embedded commands. - Capability inventory: Subprocess execution via the
geminiCLI. - Sanitization: Absent; the script uses
printfand shell variable expansion to build prompts without escaping or validation.
Recommendations
- AI detected serious security threats
Audit Metadata