run-gemini
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Dynamic Execution] (MEDIUM): The
mcp__plugin_headless-knight_runCLI__geminitool accepts anenvobject allowing for the definition of arbitrary environment variables. This capability can be exploited to hijack execution flow or escalate privileges using variables such asLD_PRELOAD,PATH, orNODE_OPTIONSwithin the execution context. - [Command Execution] (MEDIUM): The skill relies on an external environment variable
GEMINI_CLI_COMMANDto determine the executable path. This creates a dependency on a computed path that could be manipulated to run malicious binaries if the environment is compromised. - [Indirect Prompt Injection] (LOW): The skill is explicitly designed to read and summarize external web pages and search results. This untrusted data can contain adversarial instructions intended to subvert the agent's logic.
- Ingestion points: Web content and search results processed by the
runCLI__geminitool. - Boundary markers: No specific delimiters or safety instructions are defined to separate user/web data from the tool's system instructions.
- Capability inventory: The skill possesses CLI execution capabilities and network access.
- Sanitization: No sanitization or filtering logic is present for the ingested external strings.
Audit Metadata