The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill attempts to download and install a Gemini extension from an unverified GitHub repository (https://github.com/gemini-cli-extensions/security) during the tool setup phase. This source is not recognized as a trusted organization or well-known service.- [REMOTE_CODE_EXECUTION]: The execution of 'gemini extensions install' with a remote URL allows for the installation and subsequent execution of arbitrary code from an external source within the agent's environment.- [COMMAND_EXECUTION]: The skill uses extensive Bash scripting to audit repositories. These scripts process file paths and content found within the project being scanned (e.g., in 'tool-installer.md' and 'file-analysis.md'). If filenames or directory structures are maliciously crafted by an attacker, it could lead to command injection or unintended execution of shell commands.- [DATA_EXFILTRATION]: The skill is designed to locate and read highly sensitive information, including .env files, SSH/RSA private keys, and cloud provider credentials. While intended for auditing, this sensitive project context is sent to an external AI API (Gemini) for processing, representing a data exposure risk to a third-party service.- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from the analyzed codebase.
Ingestion points: Source code, dependency manifests (package.json, pubspec.yaml), and configuration files are read into the agent's context.
Boundary markers: No explicit delimiters or instructions are provided to ensure the AI ignores malicious instructions embedded within the analyzed snippets.
Capability inventory: The skill possesses broad capabilities including 'Bash', 'WebFetch', and 'Agent' access.
Sanitization: Project content is not sanitized or escaped before being included in the security report or the AI analysis prompt.

security-audit