gemini
Warn
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/gemini_ctl.pyexecutes thegeminiCLI tool usingsubprocess.run. While it passes arguments as a list to avoid shell injection, the skill depends on an external binary located in the system path or a global npm directory, which represents a potential risk if the environment is compromised or the binary is malicious. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. 1. Ingestion points: Untrusted data is ingested via the
web,search, andsummarizecommands (fetching URLs) and theanalyzecommand (reading local files). 2. Boundary markers: The prompt templates lack delimiters or instructions for the model to ignore malicious content within the fetched data. 3. Capability inventory: The skill can execute shell commands via the Gemini CLI and read local files. 4. Sanitization: Only simple space escaping is performed on file paths; no content-level sanitization is applied to fetched web pages or files before they are processed by the Gemini model. - [COMMAND_EXECUTION]: The
analyzeandsummarizecommands can be directed to read any file on the local system that the user has permissions for. The script lacks path restrictions (e.g., sandboxing to a specific data directory), allowing for potential unauthorized data exposure if the agent is manipulated into reading sensitive files like configuration or SSH keys.
Audit Metadata