pw-danger-gemini-web

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill fetches and parses live responses and user-created "gems" from gemini.google.com (see scripts/gemini-webapi/client.ts and gem-mixin.ts which call Endpoint.GENERATE and BATCH_EXEC to ingest candidate.text/web_images) and even reads page HTML via the Chrome CDP flow (scripts/gemini-webapi/utils/load-browser-cookies.ts), so it consumes untrusted third‑party/user-generated content as part of its workflow.