The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill creates a high-risk attack surface by ingesting external content (source code files and UI screenshots) and passing them to an LLM for processing.
Ingestion points: gemini-refactor.sh reads arbitrary local files (e.g., src/components/MyComponent.tsx); gemini-generate.sh processes external image files (screenshots).
Boundary markers: Absent. There are no instructions to the LLM to ignore or sanitize instructions that might be embedded in the code comments or visually within images.
Capability inventory: The agent executes shell scripts which in turn call the Gemini CLI. The output (generated code) is intended to be integrated into the user's project.
Sanitization: Absent. There is no evidence of input validation or output sanitization.
Command Execution (HIGH): The skill's core functionality relies on executing external shell scripts (gemini-generate.sh, gemini-refactor.sh) located in the .claude/skills/ directory. These scripts are not provided in the skill payload, preventing verification of their internal logic or safety.
Data Exposure (LOW): The skill naturally accesses local project files and potentially sensitive visual information (screenshots) to perform its functions. While expected, this increases the impact if the agent is compromised via prompt injection.

gemini-frontend-assistant