baoyu-danger-gemini-web
Fail
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: CRITICALCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses child_process.spawn in scripts/gemini-webapi/utils/load-browser-cookies.ts to launch a local browser instance (Chrome, Edge, or Chromium) to perform cookie extraction via the Chrome DevTools Protocol (CDP). The path to the executable can be overridden by the environment variable GEMINI_WEB_CHROME_PATH.
- [DATA_EXFILTRATION]: The skill extracts and manages sensitive Google session cookies (__Secure-1PSID and __Secure-1PSIDTS). These credentials are extracted from browsers and stored in unencrypted JSON files at predictable local paths (e.g., ~/Library/Application Support/baoyu-skills/gemini-web/cookies.json) and transmitted to Google endpoints for authentication.
- [REMOTE_CODE_EXECUTION]: The execution instructions in SKILL.md recommend using npx -y bun, which involves a package runner that may download and execute code from the NPM registry at runtime.
- [PROMPT_INJECTION]: The skill ingests untrusted data from CLI arguments, local files (--promptfiles), and standard input. It lacks robust boundary markers or sanitization to mitigate indirect prompt injection attacks where malicious content in processed inputs could influence the API response or agent behavior.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata