web-deep-research
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions direct the agent to execute shell commands using
gemini -p. These commands are constructed using strings derived from user research topics and subtopics. This creates a potential vector for shell command injection if the subtopics generated by the LLM contain shell metacharacters like semicolons, backticks, or pipes that could break out of the command's quoting context inSKILL.md.- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it fetches content from external websites and processes it through subsequent LLM prompts. - Ingestion points: The
RAW_FINDINGS_FROM_ALL_SEARCHESvariable stores untrusted data retrieved from external websites during iterative searches. - Boundary markers: The prompt templates for "Findings compression" and "Report generation" lack explicit delimiters or instructions to treat the external content as data only, which could allow malicious instructions hidden in search results to influence the agent.
- Capability inventory: The agent has the capability to execute shell commands (
gemini -p) and perform iterative network operations. - Sanitization: There is no evidence of sanitization, filtering, or escaping of the fetched web content before it is interpolated into the compression and report generation prompts.
Audit Metadata