Skills
skills/maroffo/claude-forge/gemini-review/Gen Agent Trust Hub

gemini-review

Warn

Audited by Gen Agent Trust Hub on Mar 6, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). It reads code changes using git diff and interpolates them directly into the LLM prompt in SKILL.md (Step 4).
  • Ingestion points: The output of git diff (staged, uncommitted, or branch-based) is passed to the AI.
  • Boundary markers: Uses markdown code blocks (triple backticks) to delimit the diff, which can be bypassed by malicious content within the diff itself.
  • Capability inventory: The skill uses mcp__acp__Bash to execute the gemini CLI with the --yolo flag.
  • Sanitization: No sanitization or filtering is performed on the diff content before it is sent to the LLM.
  • [COMMAND_EXECUTION]: The execution flow in SKILL.md uses the gemini CLI with the --yolo flag. This flag is typically used in LLM-powered command-line tools to allow the model to execute suggested actions or fixes without explicit user confirmation. When combined with the indirect prompt injection surface mentioned above, this creates a risk of remote code execution if a malicious diff tricks the model into outputting a destructive command.
  • [EXTERNAL_DOWNLOADS]: The skill documentation refers to https://github.com/google-gemini/gemini-cli for installation. This is an official repository from a well-known organization (Google) and is documented here as a trusted reference.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 6, 2026, 04:16 PM