google-gemini-api
Warn
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (MEDIUM): The skill includes templates that ingest untrusted data from external sources and forward it to a generative model.\n
- Ingestion points: The Cloudflare Worker template (
templates/cloudflare-worker.ts) accepts user messages and chat history directly via JSON POST requests. The grounding templates (templates/grounding-search.ts) ingest data from external Google Search results.\n - Boundary markers: None of the templates utilize delimiters (e.g., XML tags or backticks) or specific instructions to isolate untrusted data from the system instructions.\n
- Capability inventory: The templates demonstrate network capabilities (sending data to the Gemini API) and enable 'Code Execution' tools which, while sandboxed in the cloud, can be manipulated by injected instructions.\n
- Sanitization: There is no implementation of input sanitization or validation before data is interpolated into prompt contexts.\n- [Data Exposure & Exfiltration] (LOW): The templates demonstrate network requests to
generativelanguage.googleapis.com.\n - Although this domain is not on the explicit whitelist, it is the official endpoint for the service. No access to sensitive local files (e.g.,
.ssh,.aws/credentials) is attempted.\n- [Unverifiable Dependencies] (LOW): The skill references the@google/genaipackage.\n - Source: This package is from a trusted organization (Google).\n
- Status: Per [TRUST-SCOPE-RULE], this finding is downgraded to LOW.
Audit Metadata