run-gemini

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill accepts an env object and explicitly names sensitive variables like GEMINI_API_KEY (and proxy/credential vars), which encourages the agent to insert secret values verbatim into the tool call/output, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's description says it sends tasks to an external assistant via the mcp__plugin_headless-knight_runCLI__gemini tool to perform "网络搜索" and "网页读取" (web searches and webpage reading), meaning the agent will fetch and ingest open/public third-party web content as part of its workflow, which can carry untrusted, user-generated content and enable indirect prompt injection.