gemini
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documents and encourages the use of highly permissive flags for the Gemini CLI. Specifically, '--approval-mode yolo' (or '-y') allows the agent to automatically accept all actions without user confirmation, and '--approval-mode auto_edit' enables automatic file modifications based on model output.\n- [COMMAND_EXECUTION]: The CLI includes a '--raw-output' flag which, as noted in the provided help documentation, disables sanitization of model output and 'can be a security risk if the model output is untrusted.' This allows for the execution of terminal-based attacks if the model produces malicious escape sequences.\n- [EXTERNAL_DOWNLOADS]: The Gemini CLI supports a plugin architecture through the 'gemini skills install ' command, which enables the downloading and execution of third-party agent capabilities from remote sources. This represents a mechanism for arbitrary remote code execution if used with untrusted sources.\n- [PROMPT_INJECTION]: The skill creates a broad surface for indirect prompt injection by processing external data (from web searches and file reading) and executing actions based on that data with elevated permissions. \n
- Ingestion points: Data enters the system context via the 'web_search' extension and file path references (e.g., references/file-context.md).\n
- Boundary markers: The instructions do not specify any delimiters or warnings to ignore embedded instructions in the ingested data.\n
- Capability inventory: The CLI can modify files and execute various tools (e.g., in 'yolo' mode).\n
- Sanitization: Output sanitization can be explicitly disabled via the '--raw-output' flag.
Audit Metadata