The Agent Skills Directory

[Metadata Poisoning] (HIGH): The skill provides deceptive information regarding "Gemini 3 Pro" and "Gemini 2.5" versions and performance benchmarks (e.g., 76.2% SWE-bench) that do not exist in public documentation. This could cause an agent or user to over-rely on the tool's capabilities or trust its output based on false reliability claims.
[Tool Approval Bypass] (HIGH): Instructions mandate the use of --approval-mode yolo for automated tasks. This flag disables human-in-the-loop approvals for the Gemini CLI's internal tools (like code editing), granting an external LLM-driven process unreviewed write access to the local workspace.
[Indirect Prompt Injection] (LOW): The skill's primary function is processing untrusted data (entire codebases) without boundary markers or sanitization, creating a surface for embedded instructions to influence the agent's behavior.
Ingestion points: Workspace files and directories via --include-directories and prompt interpolation.
Boundary markers: Absent; untrusted content is passed directly in the prompt or file context.
Capability inventory: Subprocess calls (gemini), file modification (via Gemini CLI's auto_edit), and process termination (pkill, kill).
Sanitization: Absent; no escaping or validation of the ingested codebase is performed.
[Aggressive Command Execution] (LOW): The skill recommends using kill -9 and pkill -9 for process management. While standard for troubleshooting, these are destructive commands that can lead to data loss or system instability if misapplied by an agent.

gemini