gemini-review
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill employs high-pressure imperative language and blocking instructions (e.g., 'STOP IMMEDIATELY', 'MANDATORY THRESHOLD CHECK', 'BLOCKING checkpoint', 'non-negotiable') designed to override the agent's natural task completion flow and safety filters in favor of a specific external review loop.
- [COMMAND_EXECUTION]: The skill defines multiple templates for executing
Bashcommands that dynamically incorporate session context (e.g.,[FEATURE],[CHANGE],[PROBLEM DESCRIPTION]). If the agent populates these placeholders with unvalidated or unescaped user-provided strings, it creates a significant surface for command injection. - [DATA_EXFILTRATION]: The instructions mandate passing the entire current directory ('.') to the
geminiCLI tool. This action results in the exposure and transfer of the full codebase context to an external command-line utility and its associated backend services. - [PROMPT_INJECTION]: The skill exhibits an Indirect Prompt Injection surface (Category 8). It ingests untrusted data from the codebase, processes it via an external LLM (Gemini), and then uses the resulting output to influence the agent's architectural recommendations and implementation steps.
- Ingestion points: Reads entire codebase via the '.' argument in
SKILL.md. - Boundary markers: None provided in the command templates to separate user code from instructions.
- Capability inventory: Uses
Bashto execute CLI tools andgitcommands. - Sanitization: No explicit sanitization or escaping of code content before sending to the external model is mentioned.
Audit Metadata