gemini-exploration-patterns
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (LOW): The 'MANDATORY: Invoke gemini-cli-docs First' section uses strong instructional overrides ('STOP', 'INVOKE', 'BASE all responses EXCLUSIVELY'). While intended for workflow control, this pattern mirrors instruction-bypass techniques used to constrain agent behavior to specific data sources.
- COMMAND_EXECUTION (LOW): The skill provides several bash snippets for file processing (e.g.,
find . ... | xargs cat | gemini ...). These commands are used to read codebase content and transmit it to an external CLI tool ('gemini'). - INDIRECT_PROMPT_INJECTION (LOW): The skill creates a surface for indirect prompt injection by design.
- Ingestion points: Commands like
find ... | xargs catingest arbitrary source code files into the agent's context. - Boundary markers: The suggested shell snippets lack delimiters or instructions to ignore embedded prompts within the source code being analyzed.
- Capability inventory: The ingested data is piped directly into the
geminicommand, which communicates with external AI services. - Sanitization: No sanitization or filtering of the file content is performed before analysis.
Audit Metadata