The Agent Skills Directory

[CREDENTIALS_UNSAFE] (HIGH): The skill is designed to manage, cache, and rotate sensitive Google session cookies (__Secure-1PSID, __Secure-1PSIDTS).
Evidence: scripts/gemini-webapi/utils/get-access-token.ts attempts to load cookies from the local Chrome profile using load_browser_cookies.
Evidence: scripts/gemini-webapi/utils/cookie-file.ts and scripts/gemini-webapi/utils/rotate-1psidts.ts store these credentials in plaintext JSON and text files within the user's data directory (e.g., ~/.local/share/baoyu-skills/gemini-web/cookies.json).
[DATA_EXFILTRATION] (MEDIUM): The skill includes functionality to read local files and upload them to an external endpoint.
Evidence: scripts/gemini-webapi/utils/upload-file.ts uses fs.readFile on arbitrary paths and POSTs the content to https://content-push.googleapis.com/upload. While the target is a Google endpoint, this capability can be abused to exfiltrate sensitive local data.
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill can download content from arbitrary URLs and save them to the local filesystem.
Evidence: scripts/gemini-webapi/types/image.ts implements a save method that fetches data from this.url and writes it to a local directory.
[COMMAND_EXECUTION] (LOW): Potential path traversal risk in file saving logic.
Evidence: In scripts/gemini-webapi/types/image.ts, the filename is derived from the URL: filename = filename ?? this.url.split('/').pop()?.split('?')[0]. Although there is a basic regex check for extensions, the code uses path.join(dir, filename) without explicitly sanitizing for directory traversal sequences (e.g., ../), which could allow writing files outside the intended 'temp' directory.

pw-danger-gemini-web