gemini
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill implements an
exec_scriptcommand that enables the execution of arbitrary JavaScript code within a browser tab. This is demonstrated inscripts/debug-chat.tsandscripts/inspect-gemini.ts, providing a capability that could be misused to manipulate web sessions or access sensitive data in the browser context. - [COMMAND_EXECUTION]: Several scripts, including
scripts/deep-research.ts,scripts/list-tabs.ts, andscripts/status.ts, useBun.spawnto execute the local command-line toolsmosquitto_pubandmosquitto_subfor MQTT communication. This represents a local process execution surface. - [EXTERNAL_DOWNLOADS]: The skill requires the installation of the 'Gemini Proxy Extension' from an external, non-trusted GitHub repository (
github.com/laris-co/claude-browser-proxy). Dependency on unverified third-party software components introduces potential supply chain risks. - [DATA_EXFILTRATION]: The skill provides actions to extract full HTML (
get_html) and text (get_text) content from browser tabs, which are then transmitted via an MQTT broker. If the broker is not properly secured, this creates a channel for exposing sensitive chat history or page content from the Gemini interface. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection vulnerabilities. 1. Ingestion points:
scripts/youtube-transcribe.ts(reads transcribed external video content). 2. Boundary markers: Absent in prompt templates. 3. Capability inventory: Arbitrary JavaScript execution viaexec_scriptand local command execution viaBun.spawn. 4. Sanitization: No sanitization of external content was observed before processing.
Audit Metadata