baoyu-danger-gemini-web
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill extracts sensitive Google session cookies (__Secure-1PSID, __Secure-1PSIDTS) from the user's browser and stores them in an unencrypted local JSON file (cookies.json). These credentials provide full account access and are handled without encryption. Evidence found in scripts/gemini-webapi/utils/load-browser-cookies.ts and scripts/gemini-webapi/utils/cookie-file.ts.
- [COMMAND_EXECUTION] (HIGH): The skill programmatically controls browser instances by spawning Chrome/Edge with the --remote-debugging-port flag to access internal browser state and session data via CDP. Evidence found in scripts/gemini-webapi/utils/load-browser-cookies.ts.
- [PROMPT_INJECTION] (MEDIUM): The skill has a significant indirect prompt injection surface as it ingests untrusted external content through prompt files and vision inputs (reference images) without sanitization or explicit boundary markers. Capability inventory includes LLM generation with side effects. Evidence found in SKILL.md.
- [REMOTE_CODE_EXECUTION] (MEDIUM): Documentation recommends executing local scripts using 'npx -y bun', which automates dependency installation and execution without manual verification, posing a risk if the environment or file paths are compromised. Evidence found in SKILL.md.
- [EXTERNAL_DOWNLOADS] (LOW): The skill fetches and saves images from arbitrary remote URLs identified in API responses or user input. Evidence found in scripts/gemini-webapi/types/image.ts.
Recommendations
- AI detected serious security threats
Audit Metadata