oracle-gemini
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (LOW): The skill executes a local prerequisite check script (
check-gemini.sh) and thegeminiCLI. While these are part of the intended functionality, they represent a local execution surface. - DATA_EXFILTRATION (LOW): The skill writes potentially sensitive codebase information and generated plans to temporary files in
/tmpusing semi-predictable names (/tmp/gemini-${RANDOM}${RANDOM}.txt). On multi-user systems, this can lead to local data exposure where other users or processes could read the code context or Gemini's output. - PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection (Category 8). It ingests untrusted data from the local codebase and user requests, interpolating them directly into instructions for the Gemini model.
- Ingestion points: User request strings and file contents read from the local repository.
- Boundary markers: It uses simple templates (e.g., 'Analyze this codebase...') but lacks robust delimiters or escaping to prevent the ingested content from overriding the 'planning only' constraints.
- Capability inventory: The skill can execute shell commands (
gemini,bash), write to the filesystem, and read arbitrary files. - Sanitization: No sanitization or validation of the user-provided request or the codebase content is performed before interpolation.
- DYNAMIC_EXECUTION (SAFE): The skill uses heredocs (
cat > "$GEMINI_PROMPT" <<'EOF') to create prompt files. The use of quotedEOFcorrectly prevents variable expansion, mitigating shell injection during file creation.
Audit Metadata