pw-danger-gemini-web

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This SKILL.md describes a reverse-engineered Gemini Web CLI that reads local prompts and images, opens a browser for Google login, stores cookies and sessions locally, and sends prompts/reference images to Gemini endpoints. The documented capabilities match the stated purpose, but the reverse-engineered nature, local persistence of cookies, and reliance on proxies increase supply-chain and credential risks. There is no explicit malicious content in this README, but the implementation (not provided) must be inspected to ensure it contacts only official Google endpoints and does not exfiltrate cookies or prompt data. Treat this skill as potentially risky: review the actual scripts, verify network endpoints, and avoid running unreviewed binaries or packages that bundle the runtime. LLM verification: The SKILL.md documents an unofficial Gemini Web client that opens a browser for Google login, persists cookies and session data locally, reads local prompt/image files, and sends requests to reverse-engineered Gemini endpoints. The documentation itself contains no explicit malicious code, but the design choices (persisting full browser cookies, unspecified network endpoints, proxy guidance with no vetted proxies) create meaningful operational risk. Before trusting or running this skill, perform

This code actively reads Google authentication cookies from a locally launched browser via CDP and persists them to disk. Functionally this is a legitimate automation technique to capture a user-authenticated session, but it carries significant sensitivity because it harvests and stores authentication tokens. I see no clear evidence of network exfiltration or obfuscation in this fragment, but the capability to extract cookies makes it potentially dangerous if misused or if other parts of the package exfiltrate or mishandle stored cookies. Recommend auditing write_cookie_file/read_cookie_file and overall package provenance before use.