baoyu-danger-gemini-web
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
child_process.spawninscripts/gemini-webapi/utils/load-browser-cookies.tsto launch browser executables (Chrome, Edge, or Chromium) found on the host system to facilitate authentication. - [CREDENTIALS_UNSAFE]: The skill extracts sensitive session cookies including
__Secure-1PSIDand__Secure-1PSIDTSfrom the automated browser and saves them in plain text JSON files within the user's application data directory (e.g.,~/.local/share/baoyu-skills/gemini-web/cookies.json). - [DATA_EXFILTRATION]: The skill reads local files provided via command-line arguments and uploads their content to Google's
content-push.googleapis.comendpoint during image generation and vision tasks. - [EXTERNAL_DOWNLOADS]: The skill downloads generated or web-sourced images from Google's
googleusercontent.comdomains directly to the local filesystem usingfetchinscripts/gemini-webapi/types/image.ts. - [PROMPT_INJECTION]: The skill incorporates external data from local files into AI generation prompts, creating a surface for indirect prompt injection.
- Ingestion points: Prompt content and reference images are read from the filesystem in
scripts/main.tsviareadFile. - Boundary markers: No specific delimiters or safety instructions are used when concatenating file content into the API request body in
scripts/gemini-webapi/client.ts. - Capability inventory: The skill has permissions for network communication (Google APIs), broad file system access (reading prompts/images, writing cookies/sessions), and process execution (launching browsers).
- Sanitization: There is no evidence of sanitization, filtering, or validation of the content retrieved from external files before it is processed by the AI model.
Audit Metadata