baoyu-danger-gemini-web

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill directly fetches and parses responses from external Gemini endpoints (e.g., Endpoint.GENERATE and BATCH_EXEC at gemini.google.com in scripts/gemini-webapi/client.ts and components/gem-mixin.ts), including custom "gems" and web/image URLs (googleusercontent) which are untrusted third‑party content that the runtime consumes as candidate.text/metadata and image URLs and then uses to drive actions (printing, session state, downloading/saving images) in scripts/main.ts — allowing those external responses to materially influence tool use and next actions.