second-opinion
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests untrusted data from user input and conversation history to construct prompts for the Gemini model. \n
- Ingestion points: User questions, conversation summaries, and local file contents are read and written to a temporary file in Step 1 and Step 4. \n
- Boundary markers: The template in
.second-opinion.mdlacks clear delimiters or instructions to the model to ignore any embedded commands within the gathered context. \n - Capability inventory: The skill executes the
geminiCLI and manages files using thermcommand. \n - Sanitization: No validation, escaping, or filtering is applied to the gathered context before it is processed by the external AI tool. \n- [COMMAND_EXECUTION]: The skill executes local shell commands to interact with external tools and manage its temporary files. \n
- Executes the
geminicommand to process the prompt generated from the conversation context. \n - Executes
rmto clean up the.second-opinion.mdfile upon completion.
Audit Metadata