gemini

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md and scripts/gemini_ctl.py explicitly invoke Google-backed web_search and web_fetch to read arbitrary URLs and public web search results (e.g., SEARCH_PROMPT and WEB_PROMPT in scripts/gemini_ctl.py), meaning the agent ingests untrusted public web content as part of its workflow and that content can influence subsequent outputs/actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The gemini_ctl script explicitly sends a runtime prompt telling the Gemini CLI to "use your web_fetch tool to read: {url}" (i.e., any user-supplied http(s) URL passed to the "web" or "summarize" commands), so arbitrary remote page content fetched at runtime can directly control the agent's instructions/output.