gemini-api-2026
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains meta-instructions intended to update the agent's internal knowledge base and override older training data (e.g., 'This skill corrects stale training data'). These are standard for knowledge-delta skills and do not attempt to bypass safety guidelines.
- [PROMPT_INJECTION]: The skill enables and documents tools for ingesting untrusted external data, which is a primary vector for indirect prompt injection.
- Ingestion points: The skill introduces
url_context(fetching live URLs) andfile_search(managed RAG) as tools for the agent to process external content (seeSKILL.mdandreferences/embeddings-and-rag.md). - Boundary markers: The provided code snippets do not demonstrate the use of specific boundary markers (e.g., XML tags or delimiters) to isolate untrusted content from instructions.
- Capability inventory: The skill enables the agent to perform network fetches (URL context), file read/write (File Search API), and UI interactions (Computer Use).
- Sanitization: No explicit sanitization or validation of the external content is shown in the usage examples.
- [EXTERNAL_DOWNLOADS]: The skill recommends installing the
google-genaipackage and references well-known libraries likelangchain-google-genaiandcrewai. These are recognized as legitimate ecosystem dependencies. - [COMMAND_EXECUTION]: The 'Computer Use' tool (described in
references/tools-and-agents.md) allows the agent to execute UI actions. The documentation explicitly mentions a safety mechanism requiring user confirmation for sensitive actions, which follows security best practices.
Audit Metadata