The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses node:child_process and spawn to launch browser executables (Chrome, Edge, Chromium) with sensitive flags like --remote-debugging-port to automate cookie extraction. It also uses execSync to run system commands for path resolution in WSL environments.
[DATA_EXFILTRATION]: To authenticate, the skill programmatically accesses and scrapes sensitive browser session cookies (__Secure-1PSID, __Secure-1PSIDTS) from the user's local browser profile and caches them in a local JSON file. While this data is sent to Google's official domains, the automated extraction of credentials from browser profiles is a high-privilege operation.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It includes features to concatenate local files (--promptfiles) and process images (--reference) into the AI's context window. If these files contain malicious instructions, the agent may execute them.
Ingestion points: Prompts are read from CLI arguments, standard input, and files via readFile in scripts/main.ts and scripts/gemini-webapi/utils/upload-file.ts.
Boundary markers: None identified. External content is interpolated directly into request payloads.
Capability inventory: The skill can execute local scripts via bun, write files (images and sessions), and perform network operations to Google services.
Sanitization: There is minimal sanitization of external content beyond standard JSON serialization before it is sent to the Gemini API.
[EXTERNAL_DOWNLOADS]: The skill interacts with unofficial Google endpoints (gemini.google.com/_/BardChatUi/...) and downloads generated images from googleusercontent.com based on model outputs.

baoyu-danger-gemini-web