self-learning
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Remote Code Execution] (HIGH): The skill is designed to generate and save executable scripts (Python, Bash, etc.) in a
scripts/directory based on content extracted from arbitrary web URLs. Because the input source is untrusted (the public web), an attacker can poison documentation pages with malicious code that the agent will then download and save to the local filesystem for future execution. - [Indirect Prompt Injection] (LOW):
- Ingestion points:
read_url_contentandbrowser_subagentinSKILL.mdare used to fetch content from attacker-controllable documentation sites. - Boundary markers: Absent. The skill does not instruct the agent to ignore instructions found within the scraped content.
- Capability inventory:
write_to_fileis used to create persistent new skills and scripts. - Sanitization: Absent. The content is 'synthesized' directly into new instructions.
- [Persistence Mechanisms] (MEDIUM): The skill creates persistent agent capabilities in
~/.gemini/antigravity/skills/or local.agent/skills/directories. These generated skills are explicitly designed to 'auto-trigger' when the agent encounters specific technologies in the future, providing a mechanism for an initial web-based attack to maintain a presence in the agent's environment. - [Dynamic Execution] (HIGH): The skill performs runtime script generation by writing
.pyor.shfiles based on dynamic strings generated from scraped web data. This bypasses static analysis of the original skill and introduces significant risk if the generated scripts are executed by the agent or the user.
Recommendations
- AI detected serious security threats
Audit Metadata