gemini-reference
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill documentation describes an interaction pattern where an agent ingests untrusted data from external files and command outputs, creating a surface for indirect prompt injection.
- Ingestion points: The reference details patterns for reading files via @-references (e.g., @src/api/) and piping arbitrary command output (e.g., git diff | gemini) into the agent's context.
- Boundary markers: The provided documentation and examples do not specify the use of delimiters or 'ignore embedded instructions' warnings when interpolating external data into prompts.
- Capability inventory: The documented gemini tool possesses highly privileged capabilities including ShellTool for system command execution and Edit/WriteFile for file system modification.
- Sanitization: There is no mention of sanitizing, escaping, or validating the contents of external data before it is processed by the agent.
Audit Metadata